Defence in Depth Layer 5: The Human Layer

Although the previous four layers Email and Web Security, Perimeter SecurityInternal Network and Access Security and Endpoint Security of security should prevent most cyberattacks, it is essential that employees have sufficient knowledge of cyber security to be able accurately identify and report any potential cyberattack or threat. The main concept within this layer is the human firewall and cyber security training.

What is a human firewall?

A human firewall is similar to a traditional firewall. However, rather than being an IT system, employees within a business are given the tools and education to reduce cyber risk. The employees may be taught how to identify suspicious emails. As well as ho to avoid phishing attempts. Users are also shown how to report security incidents to the appropriate authorities. In most businesses, all employees have access to sensitive company and customer data, and therefore everyone plays a role in securing the business.

Cyber security training and development

Businesses can build the human firewall through regular training and education, and watertight policies and procedures that employees understand. The training and education program should give employees the skills to detect a potential cyberattack, and what actions to take to reduce the chance of falling victim to an attack.

List of common cyber security training

Simulated Phishing Exercises

This process involves employees being sent simulated phishing emails, They mimic real-life phishing attacks. These exercises help employees to identify suspicious emails and avoid clicking on links or downloading attachments that may contain malware.

Phishing Awareness Training

Phishing Awareness Training educates employees on the different types of phishing attacks. Showing users how to spot them, and how to report them. This type of training may include information on social engineering tactics, the anatomy of a phishing email, and how to verify the legitimacy of an email.

Social engineering Awareness Training

This educates employees on the importance of physical security measures, such as locking computers and securing sensitive documents.

Social Engineering Role-Playing Exercises

Role-playing exercises can help employees to practice recognising and responding to social engineering tactics in a safe and controlled environment.

Password Management Best Practices

Password hygiene training focuses on educating employees on best practices for managing passwords, such as not sharing passwords, using password managers, and changing passwords regularly.

Multi-Factor Authentication (MFA) Training

MFA is an additional layer of security that requires users to provide more than one form of authentication to access an account or system. This training can help employees understand the importance of MFA and how to set it up for their accounts.

Access Control Training

Access Control Training educates employees on best practices for controlling access to physical assets This includes such things as using ID cards, security badges, or biometric authentication.

Device Security Training

This teaches best practices for securing physical devices, such as laptops, smartphones, and other mobile devices, and how to prevent them from being lost or stolen.

Mobile data and device security training

Mobile training needs to focus on educating employees on best practices for protecting sensitive information on their mobile devices, such as encrypting data and avoiding using public Wi-Fi networks.

App Security Training

Uniquely, app training teaches employees how to identify and avoid downloading malicious apps. It also shows users how to configure app permissions to minimise the risk of data breaches. These are threats specific to remote and hybrid work. The training needs to be interactive, specific to the business and industry.

Remote Access Risks Training – for hybrid workers

Remote access tools are commonly be hacked by cybercriminals to gain unauthorised access to a company’s systems or networks. Furthermore, training can teach employees how to properly use remote access tools, such as virtual private networks (VPNs), and how to identify and respond to suspicious activity.

43% of employees say they’ve made a mistake at work that compromised cybersecurity

Source: Tessian