What is a Human Firewall?
Cyber security measures are essential for all organisations. The importance of effective software security (e.g., firewalls, antimalware protection, and password protection) and hardware security (e.g., hardware firewalls, proxy servers, locked doors, and CCTV systems) in preventing cyber security violations is well-documented.
However, technical security measures are only one component of an effective cyber security “shield”. Alongside a system firewall, you also need to implement and maintain an effective “human firewall”. A human firewall is a collection of practices that members of an organisation follow in order to maintain security.
According to a study by IBM, a staggering 95% of cyber security breaches are a result of human error, rather than software or hardware failure. Every member of an organisation has an important role to play to keep the human firewall strong, and neglecting this responsibility can have hugely detrimental effects on an organisation as a whole.
In this article, we will explore 12 non-technical security tips that make up a strong human firewall. By following the steps outlined, not only will you be protecting yourself—you will also be protecting your co-workers and your organisation.
1. Keep your desk clean and lock up
Keeping your workspace tidy and well-organised is not just important for making your working environment more pleasant—it also has security benefits. Paper documents on your desk may contain sensitive information such as passwords or customer details. These documents should be stored out of sight of others, ideally in a lockable drawer or cabinet. Organisations should also have procedures for locking these away and who has access to keys.
Alternatively, sensitive information can be kept on digital notes apps on work devices (this also has environmental benefits!). Wherever sensitive information is kept, it should be secure, and be deleted when no longer needed. Encrypting information can also add an extra layer of security, as long as the key to decrypt it is accessible to those authorised to access that information.
All of the above also applies to working from home—other members of your household should not be able to access sensitive information, and it certainly shouldn’t get lost around the house.
Tailgating refers to when people attempt to gain access to restricted spaces by following others through doors.
Always make sure when letting somebody else in the building that they are authorised and go through the reception first. Remember—not all employees have authorisation to access the same areas of the building! Don’t let anybody in behind you and make sure nobody is following you when accessing the building. If you are suspicious of anybody, discreetly report this to security.
3. Keep devices secure
All work devices, whether a PC, laptop, tablet, or mobile phone, should be attended or otherwise hidden in a secure place. When you leave your desk, lock your devices and their screens with a secure password. This also applies when you are working from home or commuting.
Always keep a check on the equipment you have and make sure to keep portable devices locked away out of the open. It only takes one opportunist to take your laptop whilst you’re away making a quick coffee!
4. Choose a strong password
When creating a password, adhere to your organization’s policy, always use a pass vault, and make sure you can remember it. Phrases can help with reminding yourself, as long as they aren’t too clear to a potential perpetrator. The name of your pet, partner, or favorite sports team is not a great idea for a password!
5. Think before you click
Email is a common route for cyber attackers to gain access to organisations’ systems. To reduce your chances of falling prey to phishing scams and other threats, always double check before you click a link or attachment in an email—even if it is from somebody you know! Hover over links to make sure the website is legitimate and look for any spelling mistakes or errors. If the link differentiates from a familiar one, don’t click on it.
If in doubt, always double check with your IT provider or department. If somebody you know sends a suspicious link or attachment, you can even call them (on a previously verified number) to check.
6. Don’t be overheard
When discussing potentially sensitive information, always consider where you are and who can hear you. Even in the office, some co-workers may not be authorised to hear this information.
When taking important phone calls, make sure the room is empty and there is nobody listening on the other side of the door. Not only could they be eavesdropping, but they could also use man-in-the-middle attacks to sit in the middle of your communication.
7. Be wary of shoulder surfing
“Shoulder surfing” is when someone looks over your shoulder at your screen without your permission. Not only is this nosy and rude—it is also a potential security issue! This can happen in the office or if you are working from home or using work devices in public.
To avoid sensitive information being seen by unauthorised people, you can change the angle of your screen, use privacy screen filters, or even work in a different room if you are working with sensitive information.
8. Never charge your device using public USB sockets
Public USB sockets may seem convenient if you are working away from the office, but there are actually significant security risks of using them to charge work devices. Hackers can actually modify public USB sockets so that they harvest information from devices plugged in, or even install malware or tracking software onto these devices!
Examples of USB sockets to avoid include those in airports, rental cars, trains, libraries, cafes, and more spaces accessible to members of the public.
9. Never plug an unknown USB flash drive into a device
As with public USB sockets, USB flash drives can also be modified to harvest information or install malware. Hackers have deliberately left USB flash drives lying around near offices for employees to pick up and plug into their devices. If you see a mysterious USB device in or near your workplace, report it to security.
In fact, the cyber security industry generally considers it best practice to avoid using USB sticks at all—as well as the danger of using a malicious USB stick, it is also easy to lose your own USB sticks (and any information stored on them). When using a USB stick is necessary, make sure it is password protected and/or the information stored on it is encrypted. It should also be kept physically secure so unauthorised individuals cannot access it.
10. Avoid using public networks
Wi-Fi networks are a particularly common access point for cyber attackers. When working in the office, you will most likely be using your organisation’s network. However, if you are using work devices in public, such as at a library, café, or on a train, this won’t be accessible.
While public Wi-Fi networks may seem a convenient way to get online when out-of-office, they can be used by attackers to access your information or even control your device itself. Avoid using public networks wherever possible, and if using one is absolutely unavoidable then you should use a reliable VPN to encrypt your network data. If in doubt, ask your organisation’s IT team about recommended VPNs and how to use them.
11. Always follow your organisation’s procedures and policies
Your organisation should have procedures and policies in place to make sure that security is tight. It is every staff member’s responsibility to learn, understand, and follow these procedures at all times. These policies are in place for a reason—to protect you, your co-workers, and the organisation as a whole.
You should also make sure you know who to get in touch with if you have any questions relating to security, or if you suspect any potential security threats or encounter any incidents. Communication is key!
12. Think before sharing information—even with co-workers
Not everybody in your organisation needs to know every piece of information. Internal information varies per department and should not be shared unless deemed appropriate or necessary in order to carry out a specific objective.
The fewer people who know a piece of information, the less the chances of information being leaked. Information leaks can happen accidentally through human error, or even deliberately by (for example) a disgruntled employee. Always think before you speak, and make sure you are talking to somebody who needs to know that particular information. When sharing sensitive information via email, mark it as confidential so that the recipient knows not to share it.
A strong human firewall is made up of many people. Every member of your organisation should be educated on how to stay secure. Regular training and teaching of best practices are highly recommended.
If you follow all these steps, you are much more likely to keep security strong in your organisation. Remember—it’s better to err on the side of caution and be safe rather than sorry! If you have any doubts about anything, or suspect any potential security threats, contact your IT department.