The human firewall and modern cyber defence
Authored by NMU
With 30th November being Computer Security Day, we’re taking a look at one of the most important cyber and hardware defence an organisation has – the human firewall.
Why workplace culture & the human factor matter
In today's insurance market, organisations are expected to maintain rigorous security controls. Companies scrutinise the way the attack surface is protected by technical tools and processes. Yet, losses and breaches are still occurring.
That's because something crucial is being left out of the picture. 80% of data breaches in 2021 were caused by user error, according to an analysis of the UK’s Information Commissioners Office’s (ICO) data.
As persisting ransomware attacks fuel rising cybercrime, how can businesses mitigate their exposures? One key consideration is that organisations need to fortify the human firewall.
Every single day workers are subject to phishing emails, CEO fraud attempts, spear phishing, and wire transfer fraud gimmicks. If the staff can be trained, and their decision-making abilities tested, these attacks can be prevented at the human firewall.
Training, phishing and culture
The solution is not revelational - it's tried, true, and logical. Training, phishing simulations, and workplace culture are the trifecta for building human defences.
Training establishes baseline cyber hygiene knowledge and makes connections between information and application. Training should include live and computer-based modules. Phishing simulations allow employees to learn and even make mistakes in a controlled environment where they improve behaviour and reflexes to these malicious emails.
Establishing whether a program is in place, for how long, how it is deployed, and whether phishing simulations are provided, as well as the frequency and click rates, is all key to understanding the strength of a human firewall. Training and phishing simulations are a must-have combination – providing a sort of 1-2 punch by broadening knowledge and demonstrating good cyber behaviour, improving employee reflexes.
What does a good training program look like?
It's important to recognise that not all training programs are built alike. When evaluating options and implementing training – what should organisations look for?
- Specific: Training content must align with organisational needs. Think about compliance, and train to the highest requirements for consistency across the footprint.
- Custom: Mixing computer-based learning and live learning can help address the needs of visual, auditory, and kinesthetic learners. Succinct, interactive videos are best.
- Dynamic: Training must be integrated with phishing simulations – those who fall for the phish will receive additional training.
- Measurable: The training activities should provide insights and metrics to establish progress over time and demonstrate value to stakeholders.
- Relevant: Training content should be refreshed annually… at least.
- Reoccurring: Employees should receive training upon hire and then annually. Ad hoc prescriptive training should be provided to refresh and fortify knowledge.
How can you increase your computer security?
In this new world of working environments, we should think more about leaving devices unattended and thankfully protecting your computer from a hardware attack can be fairly straightforward.
Ways to do this include, locking your computer screen when leaving it unattended, turning your computer off when you aren’t using it for a long period of time, and using strong passwords.
In terms of passwords, it’s best to include a combination of words and numbers which are difficult to for hackers to hack, with ‘Password1’ no doubt being an easy first guess for criminals. Regular password rotation is crucial.
Fortunately, with the development of technology over the years, we now have the additional ability to protect devices through fingerprint and facial scanning in order to unlock devices and access certain applications.
As far as physical security is concerned, a Kensington lock is a device which allows you to tether your laptop/computer to an immovable object so it cannot be physically taken. These can especially useful to use when working in shared offices or public spaces, such as a coffee shop as additional security from theft.
Read more about protecting computer equipment in a remote working world here.
Creating a strong cybersecurity culture
It's all about the "why" and the conversation should start from the top down. The key is to embed cyber hygiene into organisational culture, which is transformed from the top down – making the C-suite key stakeholders.
Leadership must understand the implications of phishing attacks and benefits of a strong cyber training and awareness program – integrating and aligning the "why" with the mission and values of the organisation.
In other words, why should time and money be spent on this initiative? An organisation cannot fulfil its mission to provide its services if its data is encrypted as a result of a phishing email. A business cannot fulfil its value (and responsibility) to maintain confidentiality, integrity, and availability of its digital assets if they are encrypted and exfiltrated.
Buy-in is gained by communicating the implications and benefits, empowering the workforce as agents of protection and critical decisionmakers. The implications of phishing attacks include operational downtime, resulting in business interruption and revenue loss.
Reputational damage can occur, as stakeholders expect the organisation to be responsible stewards of data – stakeholders lose faith in organisations that fall victim to cyber-attacks, especially when it's the stakeholder’s data at risk – viewing themselves as the victim and the organisation as an irresponsible steward.
Employee data is at risk as well, particularly information maintained by human resources. Deploying a training and phishing program significantly reduces susceptibility to an attack, helping to maintain the company's reputation and solvency by protecting personal, sensitive and proprietary information.
Those familiar with the psychological tactics of social engineering will likely recall that it typically includes a call to action, power and likability to persuade victims. This is because employees respond to these types of communications – we are wired to do so.
The very same psychological characteristics that cause us to fall victim to an attack can be engineered to create a strong cybersecurity culture. Organisations must treat employee cyber vigilance as a campaign – calling internal stakeholders to action and empowering them with the tools & knowledge to protect their business. This empowerment and collaboration toward a common goal translates to job satisfaction and embedded culture.
“It’s extremely important that organisations are conscious of IT security, have a strong cyber security culture and take steps to protect themselves from threats, but no organisation can ever be 100% secure. Cyber threats are rapidly evolving and there are so many ways in which attackers can access networks nowadays. The best IT security controls in the world won’t protect against events which don’t involve a third party accessing an organisation’s network, such as social engineering attacks or the actions of a rogue employee, so it’s important to have a robust insurance policy in place should the unthinkable happen. A strong cyber security and cyber insurance do not need to be mutually exclusive; they should work together to protect companies against cyber risks.” - Matt Drinkwater, NMU Cyber & Financial Lines Underwriting Manager
Insurance solutions built upon a real understanding of the risks faced by policyholders
Whilst this information can help prevent cyber-attacks and data breaches, no business can be 100% certain that they won’t be the next target or a cybercriminal or hardware thief - no matter how strong a business’ human firewall is.
NMU’s cyber insurance and computer insurance solutions have been designed specifically to address the threats SMEs face, and they have been built upon a real understanding of those risks.
Brokers have asked, and we’ve listened
We pride ourselves on listening to the feedback from our broker partners, and engaging at the outset instead of building products we think the market wants. With this in mind, we are pleased to share that we have developed, and are launching, our latest CyberSafe Insurance solution based on a combination of broker feedback and learnings from the market. Contact your local NMU development underwriter to learn more.
For more information about CyberSafe Insurance or Computer Insurance, contact your local NMU Development Underwriter.
NMU is an award-winning provider of specialty insurance solutions
We are the first choice for brokers looking for specialty insurance, offering solutions that are not simply off-the-shelf, but built upon a real understanding of the risks faced by policyholders. This, together with our ability to write risks such as storage, installation, construction and exhibitions outside of the UK and offer terrorism cover on overseas property, sets us apart from the competition.
You can count on us, when you need us most! We are NMU
Our team of professionals based across the UK, provides customers with an in-depth product knowledge and a real personal service.
We provide bespoke insurance products that are not simply off-the-shelf solutions, but built upon a real understanding of the risks faced by policyholders as well as offering added value services to benefit our clients.
Our product and services range comprises:
Cargo Insurance: Marine cargo policies cover goods during import and export, including any incidental storage, as well as domestic distribution. Stock throughput polices can cater for all this plus other, intentional storage…read more
Freight Liability Insurance: Covering the liabilities to which hauliers, freight forwarders and warehouse keepers are exposed when they contract to move or store goods owned by others…read more
Engineering Insurance: Covering contractors’ all risks (CAR), erection all risks (EAR) and contractors’ plant; machinery movement (and installation), breakdown and business interruption; deterioration of stock; and electronic risks…read more
Marine Equipment Insurance: Covering remotely-operated and autonomous underwater equipment – ROVs, AUVs and the like…read more
Terrorism and Sabotage Insurance: Standalone terrorism cover can be a more flexible and cost-effective alternative to traditional placement routes…read more
Motorsport Insurance: Designed for commercial risks, our motorsport policy offers 24/7 cover for teams at all levels across all disciplines…read more
Cyber Insurance: Providing SMEs with a simple, robust solution for cyber liabilities, cybercrime and restorative support…read more
Risk Control: Whilst we pride ourselves on our claims service, there is far more benefit to policyholders in preventing loss and damage in the first place…read more
Online Facilities: To complement our award-winning service, we use online facilities to assist NMU policyholders and brokers alike…read more
Claims Management: We pride ourselves on prompt and efficient claims management, which is supported by the use of independent surveyors and adjusters to quantify larger losses and to give advice on mitigation measures…read more