How To Build A Human Firewall In 5 Steps

A practical guide with real-world examples, use cases, and recommendations.

Banner Image: How To Build A Human Firewall In 5 Steps
Author profile photo
Sebastian Salla Published: April 01, 2024

Human Firewall Definition

A "human firewall" is an individual trained to detect and prevent cybersecurity attacks using only their intuition and adherence to healthy cybersecurity practices. Once a human firewall is in place, it becomes the first and most effective line of defense, often filling the gap where technical controls fail or don't exist.

How To Build A Human Firewall From Scratch

Creating a human firewall isn't simply a matter of purchasing a tool, implementing a policy, or threatening punitive action. It's the aggregation of cybersecurity controls that combine people, processes, and technology.

Image depicting the 5 steps required to build a human firewall

In the following steps, we'll outline the specific order for turning your employees from potential victims into human firewalls.

Step 1. Create An Information Security Policy Suite

The one consistent thing with humans is that we're all different. We all have our own perception of what's good or bad, with varying shades of grey in between.

An Information Security Policy Suite acts as a great unifier. It provides clearly defined controls and practices that need to be followed to ensure an organization's cybersecurity posture is maintained. Without these policies, there is no baseline for employees to align with, and worse of all, no guide for employees on what they should be doing to try and detect, prevent, or respond to potential cybersecurity attacks.

The policies included in an Information Security Policy Suite need to be expansive and address the variety of scenarios that an individual employee could encounter in their day-to-day work. It's also important to review your cybersecurity compliance and regulatory obligations to ensure your policies meet their requirements. As a starting point, the team at CanIPhish has outlined 16 security policies to include in your policy suite.

Step 2. Implement Strong Technical Security Controls

Expecting individual employees to become human firewalls without strong technical security controls backing them up is like dropping someone in the middle of a jungle without any water, tools, or equipment to survive. Sure, your average survival expert could make it out alive, but everyone else isn't going to be so fortunate.

Technical security controls provide much-needed assistance to ensure the security of your organization. They can turn severe security incidents into minor ones while significantly reducing the likelihood of a security incident happening at all.

Learn how CanIPhish can help with compliance

Image depicting a file with a checklist

Typically, technical security controls should be aligned to cybersecurity policies, which themselves are aligned to cybersecurity compliance and regulatory frameworks. These frameworks are often expansive and can include hundreds of controls; however, if you want to prioritize a set of controls above the rest, look no further than the Australian Signals Directorate (ASD) Essential Eight.

The ASD Essential Eight is a set of mitigation strategies and controls that have become the global standard on what can be done to mitigate the most cybersecurity threats with the least amount of effort.

Step 3. Establish A Security Awareness Training Program

Consistent practice is the key to mastering any skill, and cybersecurity is no different. A mixture of self-paced training and risk-based simulated phishing is a great way to achieve this goal.

Self-Paced Training Assignments

To turn a potential victim into a human firewall, they must receive consistent training that increases in complexity and difficulty as they progress through their security awareness training journey.

If training stays too simple, the learner gets bored; if it becomes too complex too fast, they'll feel confused and dissatisfied. It's for this reason that training should be staggered, ideally with small bite-sized learnings provided on a monthly basis that builds and reinforces on learning provided in prior months.

Risk-Based Phishing Simulations

Phishing simulations are a necessary evil. They're a simple and effective way to detect if an employee is prone to phishing attacks, but they're also widely disliked by employees.

Risk-based phishing is a great way to help lessen the downsides while obtaining all the upsides of phishing simulations. You can profile employees based on their prior interactions with simulated phishing material and tweak the difficulty and frequency at which they receive simulated phishing attacks. Ideally, your higher-risk employees should receive easier-to-detect phishing material more frequently, while lower-risk employees receive the inverse of this.

Free Tools

Free Security Awareness Program Generator

Is your organization taking the right steps to avoid a cybersecurity breach? Create your free tailored program today.

Generate your program

Step 4. Promote A Culture Of Positive Cybersecurity Behaviors

Lower-level employees will typically mirror the actions of their direct superiors. For this reason, a culture of positive cybersecurity behaviors needs to be developed from the top down. Activities that can help with this include but are not limited to:

  • Encourage an open dialogue: By fostering an atmosphere of positivity and collaboration, whereby employees feel comfortable sharing tips and tricks with colleagues.
  • Create cyber ambassadors: Identify cybersecurity champions and nominate at least one employee from each team or department to act as a cybersecurity ambassador.
  • Introduce friendly competition: Different people are motivated by different things, but a common denominator among us is the urge to win. Competition can be used to help reinforce positive behaviors observed in the workplace.
  • Lead by example: Hold leadership teams to the same or higher standard that employees are held to. Lower-level employees will passively observe and instinctively replicate leadership teams' positive or negative behaviors. When it comes to cybersecurity, an attempted vs successful cyber intrusion could be the case of a single cybersecurity practice being followed or ignored.

Step 5. Monitor Emerging Trends And Continuously Improve

The tactics and techniques that cybercriminals use to attack businesses and consumers are dynamic and constantly evolving. Without constant supervision of these trends, employees can quickly fall behind on what to look out for and what best practices to follow. To address this need, we recommend:

  • Send monthly cybersecurity newsletters: To keep employees aware of any recent changes in the cybersecurity landscape.
  • Leverage cybersecurity awareness month: To shake up the status quo and open up the opportunity for a different type of dialogue between employees.
  • Periodically review security awareness training activities: Ensuring emerging trends are formally addressed as part of future training activities.

Good And Bad Examples Of A Human Firewall

To know what a good human firewall looks like, we also need to know the bad. By providing these examples, we hope you build a frame of reference for what the potential upsides and downsides look like.

Bad Example: Breach (Social Media Scam)

On September 4th, 2023, the online cryptocurrency casino was hacked, and USD $41 million worth of Bitcoin and Ethereum was stolen from its hot wallet.

The cause of this breach was a Software Developer from who fell for a LinkedIn Job Scam after being contacted by a fake recruiter from Binance. In reality, this fake recruiter was actually a member of the Lazarus Group, which is alleged to be run by the Government of North Korea.

The LinkedIn Job Scam worked by convincing the employee to transition from LinkedIn Messenger to WhatsApp. Once on WhatsApp, the recruiter convinced the Software Developer to clone and run a GitHub project under the guise of a technical interview to determine if they had suitable software development skills. Once the GitHub project was run, the employee's personal laptop was compromised.

Unfortunately, this employee hadn't been practicing good security hygiene and was using his personal laptop for work-related software development, even though they had a corporate laptop. Accordingly, their personal laptop had access to source code, passwords, and secret keys, which were ultimately used to compromise the service that interacted with and exchanged funds with the hot wallet.

The result was that the Lazarus Group hackers were able to extract funds from the hot wallet remotely.

A flow chart depicting the flow of events which led to the breach

Good Example: The Average Human Firewall (Social Media Scam)

Let's use the breach but put a human firewall in place of the vulnerable software developer who ultimately caused it.

Your human firewall receives an unsolicited job offer from an unknown LinkedIn profile posing as a recruiter at a well-known company. Immediately, your human firewall deems the conversation suspicious because LinkedIn doesn't provide verification of identities, and anyone can create an account posing as anyone. Regardless of their suspicion, they continue the discussion until the recruiter asks to switch to WhatsApp, another communication method that does not verify the recruiter's identity. At this point, your human firewall goes from suspicion into a fully alarmed state and requests instead that the conversation be continued over email. This request is because your human firewall can verify the recruiter's employment by looking at the domain in their email address and cross-referencing it with the domain of the company they're supposedly representing.

Because of this human firewall's due diligence, they were able to stop a potential breach in its tracks, saving their company from a costly cyber intrusion.

A flow chart depicting how a good human firewall would have stopped the breach

Frequently Asked Questions

Are Human Firewalls Important?

Humans are unmatched in their ability to solve complex problems. This capability is deeply rooted in evolutionary history, and it gives us a leg-up over the current state of Artificial Intelligence (AI) and other forms of technical security controls.

Because of this, humans are often the stop-gap where technical controls fail or simply don't exist. If the human who receives a cyber attack isn't trained, they'll likely become a victim; if they are trained, they'll act as a human firewall. The training needed to turn a human victim into a human firewall is typically far less costly than a cyber intrusion, making human firewalls crucial to the cybersecurity posture of any given organization.

What's The Difference Between A Human And Network Firewall?

Network firewalls are a technology used to prevent the connection of any unauthorized inbound or outbound digital network communication. In contrast, human firewalls act more broadly in scope and instead rely on training and instinct to detect and prevent potential cyber intrusions as they appear.

Are Human Firewalls Impenetrable?

No. Humans are prone to mistakes, and a human firewall should never be treated as the only line of defense. They should instead be used as part of a defense-in-depth strategy so that the failure of one line of defense doesn't result in the total compromise of an organization.

By bolstering human firewalls with a myriad of supporting processes and technologies, we can improve their effectiveness while also minimizing the opportunities for a cybercriminal to exploit any weakness in them.

Avatar profile photo
Written by

Sebastian Salla

A Security Professional who loves all things related to Cloud and Email Security.