28th July 2016

IBM says that 95% of all cyber attacks it experiences are due to human error. Still think your once-a-year staff training workshops are adequate to create the human firewall you need?

As workforces become increasingly mobile and the Internet of Things grows along with our device usage, corporate networks have never been more open to cyber threats.

Throwing technological protection at the problem is only going to solve a part of it. The key to creating a defended infrastructure is training the people who use it every day how to use it safely.

Creating a good IT security policy is a two-stroke exercise: your internal processes and procedures should be set correctly and your staff should be trained to spot and deal with intrusions.

Cyber attacks are evolving every day. The kind of attacks we’re most used to, when credit card details are made public, or web-sites vandalised, are the least of our worries.

The most dangerous threats today are silent and invisible. They can hijack an organisation or destroy it completely using custom codes without a signature.

These attacks only need to find a tiny chink in your cyber defences to cross into the network. They might only be active for a few milliseconds each year but when commanded to spring to life, the results can be devastating.

Keeping your anti-virus software patched and up to date is always going to be important. But malicious code is written and controlled by people and can be recognised and stopped by people too.

Humans: the weakest and strongest links on both sides of cyber security

Topping IBM’s cyber trends of 2015 was the work of amateur hackers exposing deeper infections by highly organised criminals.

Known as ‘script kiddies’, inexperienced mischief-makers are unwittingly alerting companies to sophisticated malware hidden on the network by criminal groups.

These ‘onion-layered’ incidents are often discovered when script kiddies leave clues, such as unusual folders in a temporary directory. When these obvious anomalies are investigated, far more complex infections are then found.

This is good news for any security policy: train your staff to identify what is and what is not supposed to be on corporate networks and a simple observation could save you from a major data breach.

On the flip side, understanding the human weaknesses inherent in any business and addressing them takes ongoing effort. Because any technology is only as secure as the person who uses it every day.

Ransomware events are increasing and, of particular concern, is that it takes a multitude of security and procedural break-downs for any ransomware attack to succeed.

Common breakdowns include poor user awareness, inadequate patching procedures and holes in data back-up: all activities that rely on humans for successful delivery.

Why your human firewall must encircle the entire business

The IBM trends report revealed that organisations are recognising the importance of a company-wide security policy. From CEO right down to a junior intern; anyone using the corporate network must follow the same security protocol.

Investing in new cyber defence technology alone is not enough. It only takes one person to shortcut security procedures and a hacker has gained access before you know it.

Cyber security attacks are inevitable now. Preventative best practice is critical in the fight against cyber crime and forms the bedrock of new European data protection laws, coming into force in 2018.

Protecting your networks is soon to be a regulated requirement, with failure to do so adequately leading to hefty financial penalties. All companies that handle or store data through which individuals can be identified will be liable and should be looking ahead to the deadline already.

How your staff access, maintain and use your networks is central to devising a solid cyber security policy. Once you’ve agreed your secure processes, they must be shared across the entire business for consistency.

Mobile devices are increasingly important business assets facilitating increasingly mobile workforces. They also provide more potential access points for hackers to infect your networks.

Creating a human firewall that protects your entire business means considering the true extent of your networks. That no longer simply means your office, data centre and company laptops. It also includes all mobile phones and tablets used by your staff.

If people are allowed to use their devices to access both corporate networks and their home or other networks as well, it’s even more important that they follow corporate security procedures to access your networks remotely.

Ignite your human firewall with back-to-basics security policies

The most valuable assets in your business are your people and the key to an effective human firewall is treating those people with respect.

They are not an addition to your defence technology, they are more than that: they are the key to making sure your cyber defences work.

1. Create a security education and awareness programme

Any great defender must be armed. In the case of a human firewall the weapons are forged from knowledge.

If you want your staff to protect your business, they need to know what secure behaviour really is, what a breach could mean for your business and consequently their job, how to spot malicious activity and what to do if they find it.

Be generous in the information you share and emphasise the importance of good IT security whether on their own personal network or the corporate network. The more second-nature good security practises become, the more effective your human firewall will be.

2. Take a long, hard look at your password protocol:

The only way your workforce should be able to access your networks or accounts is through a multi-step verification process that includes a password.

Yet, while passwords can be a highly effective barrier to entry, poor practises surrounding their generation and usage are undermining security efforts.

• What do you use to generate passwords for staff?
• Is password generation manual or automated?
• How simple / short are passwords?
• Can passwords be changed or selected by individuals?
• Is password sharing between team members allowed?
• Are passwords stored anywhere?
• Are passwords routinely set to expire?
• When someone leaves the business what happens to their passwords?

These may seem obvious considerations but an alarming number of businesses take password control far too lightly.

Addressing this one area alone will strengthen a major point of weakness in your network: that point being anywhere a human accesses it. The same strict protocols should be applied to mobile devices as well, of course.

3. Make sure your policies are workable and practical

There is no point in devising a new security policy that never gets used.

Investing in network technology without taking the necessary steps to create your human firewall can be an expensive and dangerous mistake.

Take the time to create a set of procedures that people can incorporate into their working days with minimal effort.

4. Report any cyber crime confidentially

Under-reporting of cyber crime is keeping the criminals in the driving seat. The only way we can develop new defences is by understanding the types of threats we’re facing.

Improved reporting enables better investigation, affords law enforcement greater powers to disrupt serious criminal activity and feeds back into the evolution of better risk management moving forward.

The UK’s Information Gateway allows businesses to share information of cyber attacks with the National Crime Agency on an intelligence only basis. Any information received through this route is treated as confidential.