When you think of your business’ security, what comes to mind?

Your password?
Your website restrictions?
Email filters?
Network firewall?
What about your human firewall?

Let’s face it, data breaches are fast becoming a probability rather than a mere possibility today. Gone are the days when business leaders could naively shake off the threat with an air of “it’ll never happen to us.”

But while developing a solid defense-in depth strategy is key, your tech is only one piece of your protection pie.

EB_Gold_ArrowHaving the right tools and policies in place is important, but you need to consider how your staff fits into the mix.


Social engineering tactics like email phishing still reign supreme. Today’s cyber-criminals know on a very basic level that your people are your business’s biggest weakness – and they’re looking to capitalize on it.

Security needs to be everyone’s responsibility. Your strongest defense is to build a solid human firewall. This requires looking beyond leading security tools or whitelisting tactics, and focusing on securing your people instead.

So, how do you secure your people against today’s modern cyber-threats?
Build your organization’s human firewall by focusing on the following three areas.

Hone & Adapt

Instead of a “one-and-done” approach to awareness training, break staff into smaller segments. Not only will this make the training more direct, but grouping team members by their roles or learning styles will allow you to target your message more effectively. A team of engineers, for example, will want a more technical style of training than, say, your marketing team.

Remain focused on the same high-risk areas in each training session – explaining policy and procedure in a What-Why-How model – but tailor to your audience. Not only will the smaller trainings be more interactive, but the message will be better received to actually improve participation.

Fresh Perspectives

Ever wonder why the more emails you send out to your team, the less they seem to know?

It’s likely because, despite your best efforts, they don’t find the information interesting or relevant to their day-to-day. You can’t repetitively distribute the same, tired security reminders and be surprised when engagement doesn’t improve.

Staying relevant to the latest cyber-crime news will keep your team informed and interested. Change up your communications with new impact drivers and “take homes” that they can apply to both their professional and personal lives.

It can also help to put a fun, competitive spin on your messages to drive staff engagement. Consider gamifying your security initiative with a gift card incentive for those “caught in the act” of doing good or a free lunch to the team that’s most policy compliant every quarter.

Build a Diverse Crew

It can also be helpful to form an internal “security squad” to reinforce your security practices on a more personal level.

Just as with other internal ops teams, it’s important to have a diverse group of members beyond just inherent “techies.” This group will serve as your front line. They’ll build excitement across your organization and will be the face of your security policies. They will also be your best bet to ensure training takeaways are actually being put to practice, and they can lead fun, protection-focused campaigns to increase participation.


Along with these tips, lean on industry best practice to define your business’ security policies and build out your awareness program. Sites like SANS Institute’s Tip of the Day and SecuringtheHuman.org are great resources to get started.


Mike Arvidson is the executive leader of Eide Bailly Technology Consulting’s Infrastructure Services. With more than 20 years of experience in the IT industry, Mike’s wealth of knowledge includes network systems implementation, integrated new technologies, and information security.


Topics: Business Leadership, IT Infrastructure & Security