Security professionals frequently use the “weakest link in a chain” adage as the basis for their approach to safeguarding their networks, corporate data, and enterprise IT resources. And in many cases, the weakest link that concerns them the most is the end user. That, in turn, is drawing renewed attention to the concept of the human firewall.
Focusing on the user is all the more important in today’s work-from-anywhere world. Simply put, the new network boundary is the end users themselves. Hence, there is a need to take a firewall approach at that level.
But here we are talking about a broader concept of a firewall. It is not merely a software application or a physical device that serves as a demarcation point between an enterprise entity and the rest of the world. Instead, a human firewall approach aims to provide every end user with a combination of tools, knowledge about threats, and security best practices, as well as instilling in every user the importance of their role in the enterprise’s security.
The idea of using a human firewall strategy for enterprise security has been talked about for years. While the end user was always an important aspect of any security efforts, 2021 and 2022 seem to have been the watershed years that brought the need for a human firewall approach to the forefront.
Studies by The World Economic Forum, IBM, and Cybint in that time frame all found that between 90% and 95% of breaches were caused by human error. About the same time, a joint study by Stanford and Tessian found that employee mistakes cause 88% of data breach incidents.
Soon after that, KPMG started talking to its clients about human firewalling as a way to promote secure behavior and address the human factor in cybersecurity. It defined a human firewall as “people who follow best practices to prevent as well as report any data breaches or suspicious activity.”
More recently (last month), Metomic, a company focused on protecting sensitive data in SaaS apps, introduced a suite of human firewall features for SaaS versions of Google, Slack, and MS Teams. The new features perform several tasks to strengthen security while offloading some of the burden from IT and security teams to the users themselves.
For example, one feature automatically sends Slack notifications in real time when a user breaches a data policy. Another feature sends automatic reminders to employees if data they shared in one of these apps in the past could become a potential risk. In a recent webinar, Christopher Russell, CISO at tZERO, noted that this is a growing issue. Employees need to work fast and often quickly share sensitive data in common SaaS apps. The thought process is something along the lines of "I'll just share this in Slack, then delete it, and it'll be fine."
That is all well and good until someone hacks the app and there is a data breach. Metomic performs data discovery in the SaaS apps, and when it finds data at risk, it automatically sends a reminder to the user so the issue can be addressed.
The heart of KPMG and vendor human firewalling efforts center on constantly reminding end users about their role in enterprise security and providing them with information and tools to help. The challenge is doing these things in a way that gets every user’s attention without becoming overwhelming or interfering with their jobs.
Network Computing's parent company, Informa, does this with its Cyber Ambassador program. “The program’s objectives are to move towards a place where security is everyone's responsibility and not just the responsibility of IT and the InfoSec team and to improve colleague cyber awareness and education,” said Richard Walker, the Info Security Culture & Awareness Manager at Informa who leads the Cyber Ambassador program, in the first meeting of the Cyber Ambassadors.
The way the program works is that volunteer Cyber Ambassadors get special training and are made aware of new threats and other security issues impacting the company. They then communicate the company's key cybersecurity messages to colleagues in their divisions.
In one case, the ambassadors were told of a new method being used by thieves who stole iPhones knowing the user’s ID. In many cases, the thief would immediately change the user’s credentials for their iCloud, banking, and online store accounts. Once changed, the true owner of those accounts has no way of regaining access to their accounts.
The ambassadors were then told how to change certain iPhone settings to protect those accounts even if a thief had opened the phone with the proper user credentials. Apple has since addressed this problem. But before that happened, every Cyber Ambassador passed information about the new threat and the remedy to their fellow workers.
Technologies like broadband Internet services, 5G, SASE, Wi-Fi 6 (and soon to be Wi-Fi 7) have empowered enterprise users, allowing them to work anywhere. The downside to that freedom is that every user is now an access point for malicious activity and data breaches. As such, enterprise IT and security teams have a much harder time doing their job.
Enter the human firewall. The human firewall approach seeks to make the end user an equal participant in ensuring enterprise security. Beyond traditional things like mandatory cybersecurity training and the use of cyber protection software, organizations that adopt a human firewall strategy provide the needed resources and information to make each end user a part of an enterprise’s total security program.
Gartner sees this human-centric security approach as a model for the future, and its embracement was one of its top cybersecurity predictions in 2023. In particular, Gartner predicts that by 2027, 50% of CISOs will formally adopt human-centric practices into their cybersecurity programs. Rather than focusing on technology, threats, or the security of a site, this model concentrates on the individual.
Related articles:
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
