Email and the Human Firewall

Firewalls are designed to partition a network and define what is and is not allowed to pass through from one side to the other. They are intended to be a control gate only allowing desired transactions to reach the appropriate systems, and blocking everything else. But how you address the eventuality of unwanted email, for example, has the ability to make or break your security posture.

Lessons from the Past

I worked with a client who at one point configured their email to simply not accept any attachments. If your email had a PDF, spreadsheet or even an embedded GIF file, it was dropped in the bit bucket like it was carrying the Bubonic plague. This helped keep them safe from viruses and malware delivered as attachments, but had a negative impact on productivity and did not prevent a cyber criminal from sending a URL to be clicked. As such, it was only a partial solution, but it was an untenable position as businesses need to collaborate, and the sending and receiving of files is commonplace today.

Similarly, while antivirus programs are vital and very helpful, they teach us one certain thing. Cyber criminals adjust their attacks frequently, and constantly playing catch-up is not an optimal solution. The virus signature file updated today is no match for a brand new virus launched tomorrow.

Email Attacks Yesterday and Tomorrow

While there is a lot than can be automated in your email messaging filters and firewalls via encryption signatures, malware scanning, domain blacklisting and pattern matching, like the antivirus problem, much of the efficacy of these controls is predicated on spotting known threats. This is helpful, since according to AT&T 90% of the attacks they see are preventable since they are based on known vulnerabilities or variants of them. But that means that even if your automated technological defenses are absolutely perfect, a small percentage will still get through – specifically, new threats that are yet to be recognized and have defenses implemented. And if your firewalls have any gaps, some portion of known threats will also get through to your people. This is where the human firewall adds value.

Old and New Cyber Security Training

There may have been a time when a rudimentary training program with an annual refresher was sufficient. That time has passed. Emboldened by mounting successful attacks and stories of huge scores, cyber crime is similar to the gold rush or the dot-com boom where everyone believes the next big haul us just around the corner. Preying on the emotional responses commonly predictable in humans, social engineering attacks continue to increase in sophistication and blatancy of the appeals. In addition to Email based Phishing which continues to be effective, Phone based Phishing attacks trick people into allowing hackers remote access resulting in ransomware exploits. This is why organizations need every employee to be constantly vigilant and continuously updated in how to spot cyber attacks and become that human firewall. Utilizing university researched advanced learning techniques to eliminate unsafe cyber habits, organizations need to train employees with a clear goal of infusing long-term changes in behavior. Quantifiable results are needed to ensure increased cyber security awareness translates into changing people’s actions.

Threats come in many forms like email, URL’s, banner ads, and even apps. These can all be used by criminals to gain access to your network and data. Equipping your employees with the skills to operate like a human firewall against such threats will help ensure your company minimizes risk, and at least approaches the 90% mark, not falling for known attack types.