Building a Human Firewall in a WFH World

Square

KnowBe4 Cybersecurity - Building a Human Firewall in a Work From Home World.

Michael J. Asquith and Jamie Kincaid discuss various topics during the Vistatec KnowBe4 Cybersecurity webinar, including localization, cybersecurity—and how introverts can become great leaders!  Michael is a Global Content Solutions Executive for Vistatec; he asks Jamie-, a self-proclaimed introvert who works as Translation Manager at KnowBe4, about cybersecurity and her new pandemic hobby (darts). Vistatec is a global content solutions partner focused on creating compelling outcomes for some of the most iconic, innovative international brands. KnowBe4 is the world’s largest security awareness training and simulated phishing platform. 

Jamie began her career coordinating small projects while working at a laboratory information system. Naturally, growing into more significant projects, Jamie noticed many career doors opening for her colleagues—those getting project management professional certifications. Jamie decided to follow this path as well to broaden her career options. Jamie says she was fairly “naïve” about localization at the time, unaware of how nuanced the industry was.

What is a Human Firewall?

While most of us understand the concept of our computer firewall, fewer of us are familiar with a human firewall. A human firewall is essentially a group of people within an organization committed to following best practices to prevent and report suspicious activities or data breaches via phishing, ransomware, or other types of cyberattacks. The more employees within an organization committed to being a part of the human firewall, the stronger that firewall becomes. The ultimate goal of a human firewall—like that of a computer firewall—is to keep your network safe and secure. 

Cybersecurity Issues in the Workplace

Jamie mentioned the Treasury Department and other agencies hacked in 2020, noting how sophisticated the hackers were; the hackers inserted malicious code into computer networks. That code went out to thousands of customers who installed the tainted software update. Because such hacks are potentially so devastating to an organization, its employees, and its customers, we should be doing everything possible to stop cybercriminals from gaining access to our systems. 

After realizing it simply wasn’t enough to rely on technology or the IT department, Jamie realized that everyone within a company could be proactive. Employees are empowered to learn that they are a critical link in the human firewall chain and can halt a cyberattack. There are two primary areas where cybercriminals attack, known as social engineering and phishing. 

In information security, social engineering is the psychological manipulation of people, causing them to perform an action or divulge confidential information. In social engineering, a cybercriminal attempts to trick you into taking an activity that’s against your own best interests. The most common form of social engineering is known as phishing. Phishing occurs when you receive an email and click on a malicious link or an infected attachment. Phishing can also happen through text messages and voicemail. Google flagged over two million phishing sites in 2020, so the issue is widespread. 

Those within an organization must remember that humans are the last line of defense when staying safe. Jamie notes that doing this requires a two-pronged approach. First comes what is known as “simulated phishing.” You can test those within an organization, seeing how resistant they are to social engineering—how likely they are to click on a phishing email or give up their credentials. 

There are hundreds of different types of phishing emails. An email may say there is a contract attached. If you were expecting a contract, it is natural to click on the attachment. Or an email could indicate it’s from your HR department—which most people would certainly click on. You may receive an email that says your account has been suspended, giving you a link to click on to have it restored. Following simulated phishing, analytics are crucial to determining whether the training is working as it should.

How Do You Spot a Phishing Email?

Check the email address of the sender. It is unlikely to be from a legitimate organization if sent from a public email domain—like gmail.com or yahoo.com. Many phishing emails are poorly written. If the email contains attachments or links, be very wary until you have thoroughly checked it out. 

Most phishing emails create a sense of urgency, hoping you will click before you think it through and check it out. If there are images in the body of the phishing email, they are likely to be of lower quality. Any email that prompts an emotional response or a sense of urgency should be looked at carefully. Unfortunately, only a fraction of all cyber breaches are reported or made public knowledge, mainly because victims are embarrassed that they fell for the scam.  

Physical Social Engineering

Social engineering can also take a physical form. Say you are about to go through a door at work that requires a badge. The person behind you juggles two cups of coffee, their purse, and their laptop bag and can’t reach their bag. They ask you to please let them in. It seems harmless enough, right? Unfortunately, in many cases, you may have just been socially engineered—and allowed an unsavory character into your workplace. 

Is Any Industry More Vulnerable Than Others?

Are some industries more vulnerable to cybersecurity threats than others? Jamie believes cyberattacks occur across the board while noting that breaches in hospitals and educational institutions can be especially difficult due to the sensitive information. From the mailroom to the boardroom, every person can somehow be part of the human firewall. Therefore, everyone in the organization needs training.    

Why is Cybersecurity Even More Important Today?

With the advent of Covid, and hundreds of thousands more employees working from home, the issue becomes even more crucial. With so many more employees working remotely due to Covid, it is likely that even as we see some light at the end of the tunnel, many employees will remain remote—at least part-time. Employers have realized they can operate efficiently and productively with much of their staff out of the office. 

However, with a different set of security concerns, each company must have a written security risk assessment and an information security plan for remote workers. One consideration, in particular, deals with allowing employees to access organizational resources using their personal computers. Sensitive information accessed via a company network through a personal computer can be a recipe for disaster as far as security goes. 

Organizations now say that their biggest security challenge centers around remote workers—keeping them safe and protecting them against phishing and social engineering attacks. All remote workers worldwide should all be fighting cyberattacks as a human firewall. Courses with videos are under development to help fight cybercrime, and those courses incorporate localization and translation. KnowBe4 can help your company with security awareness training, combined with simulated phishing attacks to make your company safer. And, as a quick tip in the cybersecurity process, Jamie notes that when it comes to passwords, longer is stronger!