Human Firewall aka the Weak Link

You have spent thousands on infrastructure. You have the best Cisco firewall money can buy. Your Information Security Officer has every certification the industry offers. Yet you can still be breached. Your employees’ SSN and birthdates can be stolen. Your customers’ bank and credit card numbers can be stolen. The local news announces that all of your customers’ information was stolen.

What happened? Probably the weak link was attacked – your people. You did not have a “Human Firewall”.

  • The payroll clerk goes to lunch and leaves the direct deposit file on his desk.
  • Human Resource manager takes the applications for the new VP position home to review and leaves them on the front seat of her car while having dinner.
  • Your controller’s password is written on a Posit under the keyboard.
  • The VP of finance logs onto your network using an unsecured wireless home network.

You get the picture.

Create a “Willing Culture of Security”

Your data security plan is only as strong as the employees who implement it. Explain the rules to your employees, and train them to spot vulnerabilities in your security. A well-trained staff is your best defense against data breaches. Consistent training stresses the significance you place on data security practices.

Check references and conduct background checks before hiring employees who will have access to sensitive data. (THE FAIR CREDIT REPORTING ACT)

Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. They need to understand that following the data security plan is a critical part of their responsibilities. Regularly remind them of the company’s policy and legal requirement to keep customer information secure and confidential.

Limit personal information access to staff with a “need to know.” Know which employees have access to consumers’ and employees’ sensitive information. Pay attention to Social Security numbers and bank account numbers.

Create a procedure for making sure that when an employee leaves or transfers to another part of the company, they do not retain access to sensitive information. Terminate their passwords, collect keys and identification cards as part of the departure routine.

Make sure your policies cover employees who telecommute, access sensitive data from home or an offsite location. Plus notebooks and smart phones storing or accessing sensitive information.

Implement a regular schedule of employee security training. Update employees about new risks and vulnerabilities. Make sure training includes staff at remote offices, temporary help, and seasonal workers. Block access to sensitive information for employees who don’t attend

Train employees to recognize security threats. They need to know how to report suspicious activity. Reward employees who uncover vulnerabilities.

Require employees to report immediately if there is a potential security breach.

Post reminders in areas where sensitive information is used or stored.

Warn employees about phishing. They need to be suspicious of callers who need account numbers to process an order, asking for customer or employee contact information. Make it a policy to re-call them using a phone number they know is genuine.

Enforce disciplinary measures for security policy violations.

Consider asking your employees to take the FTC‘s plain-language, interactive tutorial at

For computer security tips, tutorials, and quizzes for everyone on your staff, visit

About Bruce Demarest

Bruce Demarest is a Identity Theft Protection Specialist. He has designed and taught classes to educate individuals and businesses in identity theft risk management. The individuals have learned how to continuously monitor their financial identities from credit fraud, plus how to monitor their personal identifying information for unauthorized use. His business clients have become compliant with the federal & state privacy laws. He has conducted information security audits to identify their potential problems and has designed security policies, programs, and practices to address those problem areas.
This entry was posted in Business Identity Theft, Identity Theft Protection and tagged , , , , , , , , , , . Bookmark the permalink.

1 Response to Human Firewall aka the Weak Link

  1. Pingback: Business Culture of Security: Do you audit your vendors? | Bruce Demarest Creating Cultures of Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s