The Human Firewall: Why the Humans Might Be the Answer
Half the problem with protecting your enterprise from every hacker, phisher, visher and botnet herder is the helpful part of human nature, that wants to be…helpful. We’ve known for a very long time that the vast majority of successful cyber-attacks rely on this helpfulness to achieve their goal. We know that social engineering plays a significant role in these attacks, from the most complex right down to the most ‘mundane’ phishing email; and our attackers know this too.
I sense that enterprise cyber security has reached a turning point that will solve this problem.
For years, we’ve been talking about the de-perimeterization of the network, as end users and cloud services make the corporate firewall less relevant. CIOs and IT Managers I’ve spoken to have long been trying to shoe-horn their existing cyber-security into this new model, but have been losing the battle. The ubiquitous nature of connectivity and mobile computing was not so much the straw for this poor camel, but the entire haystack.
So, this is where I sense a pivot occurring, in the way we think about enterprise cyber-security; one that leaves those legacy ideas on the LAN and introduces a more task-orientated set of security rules. Rules that consider how the humans’ use our enterprise services and how those same humans are exploited. And importantly, rules that change the game in our favor, as opposed to the business-as-usual cyber security arms race we suffer under.
Of course, security professionals have been asking for more training for their human users since the dawn of the ILOVEYOU virus, but sadly this has always been low on the priority list for the budget controllers in businesses.
Security and IT professionals also know there is no single technology solution that will protect humans either. Sadly, until very recently, that’s about as far as the conversation went. Enough budget would be allocated for ‘reasonably regular’ (i.e. every six months, if you’re lucky) security training – and we’d all cross our fingers that no one would do anything stupid.
But they did, and they still do. Humans click links, especially in emails, and there’s no way of stopping them from doing that. So we’ve begun to learn that a new approach is needed here. An approach that is the foundation to the wider pivot I mentioned above. If technology can’t completely help us, and in isolation security training isn’t effective anymore—maybe the answer is in the last place we would have looked a few years ago? In the humans.
It’s after all our users who have become the front line for attackers looking to gain access to your network and we know this is because the humans are easier to hack than the code they write. So instead of constantly hardening our code and infrastructure why don’t we start to harden our humans?
Invoke a Human Firewall to help protect our businesses and de-fang the threats that target them. We know that our routine security training doesn’t work and we know our technology is less effective—so why not use the technology to help train users in a more real-time manner, or at the point of click in an email. Subtly warn them they might be able to experience something malicious, and block them if it does turn out to be a watering-hole or drive-by attack. But help them understand the risks, educate them constantly and in new and exciting ways, not once or twice a year in traditional training session.
It’s only when you start to get humans thinking for a fraction of a second longer than normal before performing a task, running an attachment or clicking a link, have you started to drive a behavior change in them. It’s this behavior change that we need to encourage, one that makes them a tiny bit suspicious of those emails that look ever so slightly odd, one that means they’re more aware than we could have ever hope for.
This behavior change is what invokes your human firewall, it’s the only way you’ll protect your humans from themselves, and it’s the only way we might be able to solve our cyber-security woes.