Building Human Firewalls: 10 Steps to Cyber Awareness [Part 1]

Posted by Tim Femister on Oct 23, 2018 10:00:00 AM

The best defense against modern cybersecurity threats is not based on technology at all. While there’s currently a great deal of focus on Artificial Intelligence (AI), good-ole human intelligence is the secret ingredient. To effectively prevent your organization from falling victim to cyber attacks, it’s essential that your employees develop strong cyber instincts. We constantly coach customers on the idea that the strongest firewall you can own is a resilient, human firewall. The statistics are staggering: spear phishing accounts for 95% of enterprise network attacks, according to the SANS Institute.

Spear phishing is the most effective form of phishing whereby hackers perform advanced reconnaissance and target specific individuals via email. More than ever before, our lives – not just our organizations – are represented digitally. Popular, reputable research sites like and professional networking sites like LinkedIn make it easy to determine critical targeting variables, including company name, position, management structure, location, email, phone number, and more. Leveraging this information, an attacker can – with a high degree of confidence – craft a message to an employee posing as a reputable contact. This employee must act as a human firewall, defending your organization against the attempted attack.

In this blog post, I will share the first 5 steps to creating a cyber aware culture within any organization — a culture capable of effectively defending against modern threats.

1. Awareness Program Envisioning

We always encourage customers to start with posture before product. It’s important to review the current state of the program to determine what’s working and what’s not. If a program doesn’t exist, realize that you’ll need to take measurable steps and overcommunicate to ensure your messages resonate with employees.

2. Policy + Process Development

Now it’s time to develop specific policies and processes that will support the overall program. Solid policies set the foundation for structure and governance. End-user, executive, and IT teams need to possess a clear understanding of the expectations set forth by the policies. These policies will govern not just the actions of users, but also the program itself. From there, processes need to be established based on policies to ensure there’s clarity of action.

3. Scenario Building

We also want to thoroughly identify what we’re trying to protect. A fundamental element of the NIST 800-53 CSF is Identification. It’s difficult to protect something that you don’t know exists.

4. Engaging Trainings

Here’s the truth: A basic, online annual training isn’t going to generate mindfulness. These may check a compliance or policy box, but they won’t establish robust human firewalls. Trainings need to be engaging and provided in multiple formats. Users need to understand why it matters. It should be made clear that every single day, malicious bad actors are looking for people just like them to trick, deceive, and, ultimately, exploit.

5. Mindfulness

Next, we want to maintain mindfulness. Breakrooms and hallways should have easily understandable awareness posters in each and every office. Digital signage screens should have awareness graphics in the rotation. We’re looking for simple reminders and messages that convey, “Hey—you there! Yeah, you – think before you click.” You’re not trying to teach it all in one short message, but rather maintain awareness.

These are the first 5 steps to establishing a sustainable and effective cyber awareness program and culture. Continue on to the second part of this blog series, where I walk through the next 5 steps—or if you are looking for a deeper dive into these 10 steps, download the full guide below!

10 Steps to Cyber AWareness

 Building Human Firewalls-2

Are your employees equipped to act as a human firewall, defending your organization against attempted cyber attacks?

Download the full guide for an extended overview of ConvergeOne’s 10 steps to creating a cyber aware culture, including key questions and ideas for tackling each step. The final 5 steps are examined in the guide:

  • Organizational Communications

  • Phishing Simulations

  • Social Engineering Assessments

  • Metrics + Reporting

  • Regular Optimization


Topics: Phishing, Cyber Security, Cyber Awareness


Tim Femister
Tim Femister  -- Tim Femister is the senior leader for ConvergeOne’s award-winning Cloud, Cybersecurity, and Infrastructure Solutions. Tim is fiercely passionate about helping organizations connect, protect and leverage their digital assets in a manner that drives transformational value. He is a keynote speaker and presenter on topics related to digital, cloud and security transformation as well as an active member of the Forbes Technology Council, contributor to and featured in local and national media and entertainment coverage.