The human firewall and modern cyber defence

Authored by NMU

With 30^th November being Computer Security Day, we’re taking a look at one of the most important cyber and hardware defence an organisation has – the human firewall.

Why workplace culture & the human factor matter

In today's insurance market, organisations are expected to maintain rigorous security controls. Companies scrutinise the way the attack surface is protected by technical tools and processes. Yet, losses and breaches are still occurring.

That's because something crucial is being left out of the picture. 80% of data breaches in 2021 were caused by user error, according to an analysis of the UK’s Information Commissioners Office’s (ICO) data.

As persisting ransomware attacks fuel rising cybercrime, how can businesses mitigate their exposures? One key consideration is that organisations need to fortify the human firewall.

Every single day workers are subject to phishing emails, CEO fraud attempts, spear phishing, and wire transfer fraud gimmicks. If the staff can be trained, and their decision-making abilities tested, these attacks can be prevented at the human firewall.

Training, phishing and culture

The solution is not revelational - it's tried, true, and logical. Training, phishing simulations, and workplace culture are the trifecta for building human defences.

Training establishes baseline cyber hygiene knowledge and makes connections between information and application. Training should include live and computer-based modules. Phishing simulations allow employees to learn and even make mistakes in a controlled environment where they improve behaviour and reflexes to these malicious emails.

Establishing whether a program is in place, for how long, how it is deployed, and whether phishing simulations are provided, as well as the frequency and click rates, is all key to understanding the strength of a human firewall. Training and phishing simulations are a must-have combination – providing a sort of 1-2 punch by broadening knowledge and demonstrating good cyber behaviour, improving employee reflexes.

What does a good training program look like?

It's important to recognise that not all training programs are built alike. When evaluating options and implementing training – what should organisations look for?

• Specific: Training content must align with organisational needs. Think about compliance, and train to the highest requirements for consistency across the footprint.
• Custom: Mixing computer-based learning and live learning can help address the needs of visual, auditory, and kinesthetic learners. Succinct, interactive videos are best.
• Dynamic: Training must be integrated with phishing simulations – those who fall for the phish will receive additional training.
• Measurable: The training activities should provide insights and metrics to establish progress over time and demonstrate value to stakeholders.
• Relevant: Training content should be refreshed annually… at least.
• Reoccurring: Employees should receive training upon hire and then annually. Ad hoc prescriptive training should be provided to refresh and fortify knowledge.

How can you increase your computer security?

In this new world of working environments, we should think more about leaving devices unattended and thankfully protecting your computer from a hardware attack can be fairly straightforward.

Ways to do this include, locking your computer screen when leaving it unattended, turning your computer off when you aren’t using it for a long period of time, and using strong passwords.

In terms of passwords, it’s best to include a combination of words and numbers which are difficult to for hackers to hack, with ‘Password1’ no doubt being an easy first guess for criminals. Regular password rotation is crucial.

Fortunately, with the development of technology over the years, we now have the additional ability to protect devices through fingerprint and facial scanning in order to unlock devices and access certain applications.

As far as physical security is concerned, a Kensington lock is a device which allows you to tether your laptop/computer to an immovable object so it cannot be physically taken. These can especially useful to use when working in shared offices or public spaces, such as a coffee shop as additional security from theft.

Read more about protecting computer equipment in a remote working world here.

Creating a strong cybersecurity culture

It's all about the "why" and the conversation should start from the top down. The key is to embed cyber hygiene into organisational culture, which is transformed from the top down – making the C-suite key stakeholders.

Leadership must understand the implications of phishing attacks and benefits of a strong cyber training and awareness program – integrating and aligning the "why" with the mission and values of the organisation.

In other words, why should time and money be spent on this initiative? An organisation cannot fulfil its mission to provide its services if its data is encrypted as a result of a phishing email. A business cannot fulfil its value (and responsibility) to maintain confidentiality, integrity, and availability of its digital assets if they are encrypted and exfiltrated.

Buy-in is gained by communicating the implications and benefits, empowering the workforce as agents of protection and critical decisionmakers. The implications of phishing attacks include operational downtime, resulting in business interruption and revenue loss.

Reputational damage can occur, as stakeholders expect the organisation to be responsible stewards of data – stakeholders lose faith in organisations that fall victim to cyber-attacks, especially when it's the stakeholder’s data at risk – viewing themselves as the victim and the organisation as an irresponsible steward.

Employee data is at risk as well, particularly information maintained by human resources. Deploying a training and phishing program significantly reduces susceptibility to an attack, helping to maintain the company's reputation and solvency by protecting personal, sensitive and proprietary information.

Those familiar with the psychological tactics of social engineering will likely recall that it typically includes a call to action, power and likability to persuade victims. This is because employees respond to these types of communications – we are wired to do so.

The very same psychological characteristics that cause us to fall victim to an attack can be engineered to create a strong cybersecurity culture. Organisations must treat employee cyber vigilance as a campaign – calling internal stakeholders to action and empowering them with the tools & knowledge to protect their business. This empowerment and collaboration toward a common goal translates to job satisfaction and embedded culture.

“It’s extremely important that organisations are conscious of IT security, have a strong cyber security culture and take steps to protect themselves from threats, but no organisation can ever be 100% secure. Cyber threats are rapidly evolving and there are so many ways in which attackers can access networks nowadays. The best IT security controls in the world won’t protect against events which don’t involve a third party accessing an organisation’s network, such as social engineering attacks or the actions of a rogue employee, so it’s important to have a robust insurance policy in place should the unthinkable happen. A strong cyber security and cyber insurance do not need to be mutually exclusive; they should work together to protect companies against cyber risks.” - Matt Drinkwater, NMU Cyber & Financial Lines Underwriting Manager

Insurance solutions built upon a real understanding of the risks faced by policyholders

Whilst this information can help prevent cyber-attacks and data breaches, no business can be 100% certain that they won’t be the next target or a cybercriminal or hardware thief - no matter how strong a business’ human firewall is. 

NMU’s cyber insurance and computer insurance solutions have been designed specifically to address the threats SMEs face, and they have been built upon a real understanding of those risks.

Brokers have asked, and we’ve listened

We pride ourselves on listening to the feedback from our broker partners, and engaging at the outset instead of building products we think the market wants. With this in mind, we are pleased to share that we have developed, and are launching, our latest CyberSafe Insurance solution based on a combination of broker feedback and learnings from the market. Contact your local NMU development underwriter to learn more.

Contact us

For more information about CyberSafe Insurance or Computer Insurance, contact your local NMU Development Underwriter.