Building a Human Firewall: Raising Awareness to Protect Against Social Engineering
Never heard of the human firewall? The concept behind it is to build a persistent consciousness about information security in the minds of the information system’s users so they won’t make errors or misbehave when dealing with information. A good human firewall employee is one who filters good security practices and rejects any others—much like a network firewall only allows authorized traffic and rejects any other.
One radical way to build a strong human firewall is to get rid of all humans! Although this might sound humorous, it is attempted every day when individuals are removed from processes and replaced with systems or machines. Unfortunately (or fortunately, depending on the point of view), the human is always standing somewhere behind a process, system, or machine. Therefore it is generally accepted that the only way to build a good human firewall is to raise people’s awareness; to teach them good habits, to make them recognize bad practices and change them into good practices.
Humans are the foundation of all companies. As Symantec CEO John Thompson said at a conference in August 2006, "An organization’s cybersecurity is only as good as the people who manage and use it."
Is Security Awareness Needed?
Because users of Information Technology have, to some extent, the power to alter the Information Systems they are using, they need to be aware of Information Security and the relation with their daily activities. People write books about how to build an efficient security awareness program, conferences focuses on this subject, and some folks even write articles about it!
Before delving into this more deeply, you might ask why do users need awareness in 2006? Why do users who are only required (as far as computer is concerned) to know how to use a mouse and how to click icons need to be aware about information security?
There are two ways of looking at it:
- An analogy: While driving a car, you do not need to know how the engine works, yet you have the power to provoke accidents. So you are required to know how and when to brake. As a computer user, you should know how to avoid breaches and how to keep yourself on the correct path.
- Be realistic: Security fails! Let’s be honest. Every single service introduced since the emergence of the Internet has vulnerabilities that need products to mitigate the risks. Those products also have vulnerabilities that need patching to mitigate the risks... Quelle rigolade!
One way or another, one fact remains: Although computer users can use more and more services (and benefit from them), they are also more and more exposed and vulnerable. Additionally, because the security community fails at least partially to protect those users from the risks of the Internet, they have to know how to do it themselves. They have to make decisions that require a certain above-average level of competence. To distinguish good from bad information, they have to inspect every email, learn not to open suspicious email attachments, learn how to check for website authenticity, learn how to create hard-to-break passwords, and so on.