Defending the Enterprise Part 1: The Human Firewall

Monday, November 29th, 2021



There are two lines of defense when it comes to protecting the enterprise and keeping the bad guys at bay: Strengthening the human firewall and patching vulnerable systems. Part one of this series will focus on the human firewall.

Some of you might be old enough to remember a movie called “The Sting.” It’s about con men in the 1930s who use a “pigeon drop” and phony off-track betting to steal vast sums of money from unsuspecting targets. Fast forward to today. Times have changed, but the world is still full of bad guys who want to take your money or your secrets. And now, because of the way we do business on the Internet, we’re exposed to new tactics—from phishing to ransomware.

In response, we have two lines of defense when it comes to protecting the enterprise and keeping the bad guys at bay: Strengthening the human firewall and patching vulnerable systems.

In part one of this series, I’ll focus on the human firewall and in part two I will focus on patching vulnerable systems. So, let’s dive in with some factors to consider regarding our human firewalls.

What makes people good at their jobs can also make them vulnerable

Our employees are our most critical resource. Beyond our products and services, the humans we employ give us the competitive edge we need to succeed. But many of our best employees aren’t technical. They’re the soft skills folks—salespeople, marketers, and the member service team.

You can have the most technically bulletproof email system in the world, but when a bad guy wants to attack an enterprise as a penetration tester or a cybercriminal, he or she is going to hit these soft targets.

Why? Because these people are on the front lines of the credit union and their jobs involve interacting with the public. They’re friendly, outgoing, and predisposed to help or troubleshoot—which makes them more likely to open an email attachment or click on a link.

C-level executives are particularly vulnerable to social engineering attacks because they’re often involved with charitable and nonprofit organizations. Here’s an example: An attacker goes on Facebook or LinkedIn to determine which organization an executive supports. Then, the attacker spoofs an email to the executive from that organization titled, “Here are some potential donors” and attaches a weaponized Excel spreadsheet. Naturally, the executive is curious about new donors to an important cause, so he or she opens the attachment. Boom—a good person trying to do good things has just provided a beachhead into the organization.

How can we protect our soft targets?

To protect against attacks, you need to implement very good security and awareness training for employees across your enterprise—with a subset of training specifically designed for your C-suite and soft skills people. Here’s the approach we’re taking at DefenseStorm:

1. Phish your own pond

The best way to expose your threat vulnerabilities is to simulate real-world attacks. We do this with three groups of employees: Marketing and sales, engineering, and the C-suite. We target more sophisticated campaigns toward the engineering group and start at a basic level with the marketing/sales and C-suite groups.

When we first started simulating attacks, we created our own “dirty tricks campaigns.” Now, several high-quality services automate campaigns and can help you to manage the security challenges of social engineering, spear phishing, and ransomware attacks.

We use KnowBe4, a cloud-based subscription service that combines simulated attacks with security awareness training. We’re running their canned email and automated social engineering campaigns—and using additional features I’ll describe below.

2. Automate awareness training

If someone in our organization clicks through one of the simulated attacks, they are automatically enrolled in an awareness training module that’s specific to the trick that caught them.

The training includes videos featuring Kevin Mitnick, the world’s most famous hacker. He does a 45-minute demo to illustrate what happens on the other side when someone clicks a phishing email. A picture (or in this case, a video) is worth a thousand words, and when our employees see how the bad guy operates behind the scenes, they become more acutely aware of the problem and the urgency to address it.

We also include “if you see something, say something” guidance as part of our awareness training. This goes beyond coaching employees to report suspicious emails or phishing attempts to include unusual phone calls or people hanging around the building. It’s all part and parcel of our security incident response program.

3. Track your risk scores—but don’t name and shame

The beauty of a service like KnowBe4 is it provides a risk scoring mechanism within the platform. I can go in and check the risk scores to see how we are doing and where we need improvement.

But keep this in mind: You have to make sure there’s no retribution for mistakes. If someone clicks through an attack, you shouldn’t name and shame. These attacks can happen to anyone. In fact, I’ve been phished—and I have years of training, I’m very technical, and I’m highly suspicious!

The key is to build a process that promotes ongoing improvement. If you create awareness, provide individualized instruction, and test employees with phishing tools, your risk scores will improve—usually at a rate of about 60% in the first year.

Up next: In part two of this article, I’ll dive into another way to protect the enterprise from malicious attacks: Patching systems. Stay tuned for more.

Bob Thibodeaux

Bob Thibodeaux

Chief Information Security Officer

Bob has more than 25 years of experience as a senior security expert and highly accomplished IT executive and engineer. Through leadership positions managing IT departments and programs, technology operations and data center operations, Bob has driven innovative process improvements, disaster recovery programs, information security strategies, and audit and compliance improvements. He has been responsible for incident response, risk management and penetration testing for community-focused banks, credit unions and high-tech companies across the United States. Bob is a Certified Information Systems Security Professional, Digital Forensics Examiner and GIAC Penetration Tester. Bob holds a degree in Business and Management from the University of Maryland and is a retired USAF Senior Master Sergeant.