The Spanish National Cybersecurity Institute about the human firewall

Kymatio INCIBE Human FIrewall

Risks in the field of information security are constantly evolving, cyberattack vectors are increasingly sophisticated and complex, making massive use of social engineering to reach their potential victims. For this reason, in order to reduce risks and ensure a greater degree of protection, it is always necessary to go one step ahead.

To achieve this, we will have to go beyond the security provided by technological elements and build a defense system based on people , known as human firewall .

It is a concept that INCIBE has already echoed on several occasions and that turns the worker of a company into an important defense mechanism against a cyberattack .

From Kymatio we share this vision and work on the activation of human firewallsconsidering that continuous management of internal cyber risk focused on people is necessary , as employees have vulnerabilities and are exposed to threats. Therefore, we provide the necessary tools to work in this risk segment.

We offer a summary below. 

The full article can be found here in Spanish here a recommend reading the full article  «Fighting against social engineering: the human firewall. (INCIBE) » where the concept of human firewall ( human firewall ), strengthening of the chain and its links, training-awareness, social engineering, etc. is defined.

Source. National Cybersecurity Institute of Spain. INCIBE URL:

We offer a summary below. 

INCIBE. Fighting social engineering: the human firewall

In the business field, when we talk about cybersecurity, we do not only refer to the technical measures, technologies or processes necessary to guarantee the protection of information. We cannot forget that the user is the most important link in the security chain, so that their action or inaction will be fundamental when it comes to correcting vulnerabilities, protecting themselves against cyber attacks or avoiding falling into the traps of cybercriminals.

Information security is constantly evolving, as cyberattack vectors are increasingly sophisticated and complex, making greater use of social engineering to reach their potential victims. For this reason, in order to reduce risks and ensure a greater degree of protection, it is always necessary to go one step ahead.

To achieve this, we will have to go beyond the security provided by technological elements and build a defense system based on people, known as human firewall . It is a concept that we have already talked about on some occasion and that turns the worker of a company into an important defense mechanism against a cyberattack.

What is a human firewall?

It is that commitment acquired by a group of people, in this case of workers of an entity, to implement those measures, both preventive and reactive, that have as their objective the implementation of cybersecurity.

As the evolution of technological protection measures increasingly protect our information systems more and better, cyberattacks are focusing on seeking user error. For this reason, it is often said that in the cybersecurity chain the user is one of the weakest links, and therefore, makes it the most important link.

Training and awareness

If we want to have a true human firewall that strengthens the chain, we will have to ensure that at all times our employees know, understand and comply with all the rules and protection measures that are implemented in cybersecurity, warning them of the risks associated with a bad practice, both of devices and solutions that are within their reach. To achieve this we must:

  • Ensure proper dissemination of security policies, documenting them, explaining them thoroughly and leaving them within the reach of all company personnel.
  • Specify a training plan that encompasses the basic procedures and controls, duly informing of the rules, laws or contracts that govern the organization, making clear the protection measures associated with the job, what applications are allowed, how to treat the personal data, etc.
  • Establish specific training programs for certain profiles or employees, be they support technicians, system administrators or new employees.
  • Specify training periods. In this way, training actions can be carried out that revolve around cybersecurity updates to reinforce the weaknesses detected or influence messages of greater importance.
  • Require external entities with which they have interactivity that their cybersecurity policies are aligned with ours.
  • Evaluate the learning obtained that helps determine the degree of awareness achieved and the weaknesses that need to be reinforced.

Social engineering

It is one of the most used techniques when it comes to avoiding the technological defenses of any organization. Its main objective is to avoid them by directing the focus of attention towards the employee. In this way, the cyberattack vector is based on its ability to manipulate, deceive and influence the actions or actions of the end user, in this case the worker.

Depending on the cybercriminal’s interaction with the victim, social engineering techniques can be:

  • Passive: they are based on observing the victim’s behavior.
  • Non-contact: they are based on requests for information through emails, calls, phishing, etc.
  • Non-aggressive face-to-face: they include a surveillance of the victim, that is, of their home, analyzing their surroundings, whether they are personal or professional, as well as their friends, colleagues, etc.
  • Aggressive: they are based on psychological pressure and impersonation, usually from the environment close to the victim.

Therefore, we must be aware that any company, regardless of the size or sector to which it operates, can be vulnerable. The cybercriminal can launch a cyberattack without breaking security measures and get through a hoax that an employee unconsciously provides valuable information through an email, text message, phone call or even initiate or launch a cyber attack, either by executing a file, by clicking on a link, etc.

Social engineering cyber attacks could be based on technological aspects, such as spam, pop-up windows in browsers, malicious software, phishing or pharming , among others; or based on the human aspect, that is, exploiting the weaknesses of human behavior, taking advantage of the will to help, respect for authority, fear of losing a service, etc.

In both cases, the most important thing to stop this type of cyberattacks is to have a robust human firewall, based on training and awareness. The latest developments in the technology market will not help much if by means of a simple email a cyber criminal is made with confidential information about our company.

There are a lot of techniques through which cybercriminals access their goals. Some require technology but others base their action on human manipulation. Minimizing or mitigating these risks will depend on the commitment that an entity’s workers have with cybersecurity. Make sure everyone knows the procedures and has a true safety culture. This way you will have your human firewall configured and ready.