How empowering your employees can make them your greatest cyber security asset.

More than 90% of breaches involved some degree of human error in 2021[1], according to Mimecast’s latest State of Email Security report. Poor password hygiene, phishing attacks and misuse of personal email all contribute to this alarming statistic, making it easy to see employee naivety as one of the greatest security challenges facing businesses today.

Yet if 90% of breaches involved a human element, 90% could also be prevented by one — so instead of viewing your employees as your greatest weakness, consider how they could actually become your greatest asset…

What is the human firewall?

Organisations have long deployed firewalls as part of the protection layer of their cyber security strategy, typically protecting a business from the network edge by monitoring and controlling traffic based on predetermined rules. But as threats become ever more sophisticated, now often incorporating some element of social engineering, another kind of firewall is required: a human firewall.

While a technical firewall mediates network traffic, a human firewall is the human layer of protection, created and maintained through ongoing education and including all workers across the business — not just a single person or team.

True cyber resilience requires a human firewall in which every employee is trained, equipped and empowered to identify events and behaviours that may otherwise go unnoticed by automated software — eg, emotive or out-of-character language encouraging an end user to click a link in an email.

The missing piece

90% of breaches could be prevented by empowering and educating your employees, yet only 23% of companies provide cyber awareness training on an ongoing basis[1].

The key here is ‘ongoing’ — because as new threats continue to appear and evolve, the human firewall should be supported and optimised through education, simulation and training that’s made relevant to their specific role in the company.

This is why infrequent security awareness training isn’t enough to reduce risk — because it doesn’t achieve the goal of behaviour change ie, an employee knowing what to do when they suspect a threat. A solid, ongoing training program with regular attack simulations and incentivisation is not only more effective at protecting your business, but it’s also quantifiable with metrics to prove that behaviour change is being achieved.

And because employees who receive consistent training are five times more likely to spot and avoid clicking on malicious links[1], it’s crucial to take the time to build a security-minded workforce as an additional layer to your defensive strategy.

Planning the way ahead

From a security auditing perspective, firewalls and other systems logs must be monitored 24/7, yet employee awareness training is only required once a year. But when the human element is so significant, it’s time to question this and empower employees as part of a wider defence in this ever-changing threat landscape.

At Bistech, we take a long-term, holistic approach to security. We work in partnership with our customers to create a robust and multi-layered cyber security posture that’s tailored to their wider business goals. To discuss your security strategy, call our specialist team today on 03330 11 22 55.


[1] Mimecast, 2022 ‘The State of Email Security 2022: Confronting the new wave of cyberattacks’