When it comes to enterprises finding innovative ways to neutralize widespread email-based attacks, I’ve made the case before that it's employees – the same “weak links” who unknowingly click on malicious email URLs and attachments – who could actually be the strongest allies of IT managers in fighting back against these threats.
There’s one caveat, though. The “human firewall” will not be as successful if employees are merely aware that email-based threats exist. Attackers know employees either don't care about cybersecurity or don't know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.
To explore the problem further, last week I hosted a webinar, "The Human Firewall: Strengthening Email Security," where I was joined by Mimecast Product Manager Steve Malone and Forrester Research Analyst Nick Hayes.
Here are three takeaways from the webinar:
1. Shore Up Your First Line of Defense
Picture your cybersecurity infrastructure. At the core is all the sensitive data you're trying to protect. The first line of defense should be your cybersecurity technology. This is critical. Technology is not a security guarantee, but if you have the right controls in place, like Targeted Threat Protection, then fewer threats will actually break through.
This is important because your next line of defense comprises your employees – the “human firewall.” If your technology is working correctly, employees won’t be overwhelmed by a wave of continuous threats; they'll be less likely to fall victim to the few that may enter your infrastructure.
2. Appeal to Employees' Ability and Motivation
So, what happens when a threat actually does reach your “human firewall”? Are your employees properly trained to recognize and react to it? The answer depends on how well they were trained.
To illustrate how to educate employees, Nick gave the hypothetical example of a mobile phone ringing and explained there were two reasons why someone wouldn't answer it – either they didn't have the ability to do so (too busy) or didn't have the motivation (just didn't feel like talking).
Applying the example to cybersecurity training, "ability" refers to whether employees have learned how to recognize and respond to threats, while "motivation" refers to whether they understand the consequences of whatever action they take, right or wrong.
The best training stresses both, and does so in compelling language that employees will remember.
3. Link Desired Behaviors to Necessary Knowledge
Once employees understand the threats at bay, the next step is to teach them new behaviors. To get to that point, employees need context. You first have to identify their current behaviors putting your organization at risk. This could be, for example, clicking on malicious links or attachments.
Once those behaviors are clear, determine the desired alternatives. So, instead of clicking on a malicious link, you'd want your employees to recognize a link or attachment as being malicious and then flag it to the IT department. By working backwards from that point, you would know exactly the knowledge you would need to impart upon your employees about email-based threats.
The Writing is on the Firewall
While it may seem farfetched that IT departments can build a savvy, well-trained army of cyber defenders from the same employees who previously snuck shadow IT into the workplace and jeopardized enterprise security, the process works. We've seen the technology and the “human firewall” go hand-in-hand to protect organizations that were previously vulnerable. And it can work for your company too.
To learn more, please play our on-demand webinar, "The Human Firewall: Strengthening Email Security."