Build a Human Firewall
By Eduard Mouget
Last year, a multinational firm lost US$25 million after a finance employee joined a video call with what appeared to be the company’s CFO and other executives. Everyone on that call except the employee was a deepfake. This happened in Hong Kong to a real company with real money that vanished forever. The most sophisticated firewall in the world could not have prevented this attack because the vulnerability was human trust.
When security professionals talk about the “human firewall” they point out a fundamental paradox. The same individuals who serve customers and keep our businesses running are both the first line of defence against cyber threats and the easiest target for attackers to exploit. Over 90% of cyberattacks worldwide involve some form of malicious email or social engineering ploy. Criminals know that persuading someone to open a door requires far less effort than breaking through a digital wall.
Consider a staff member in accounts receiving an unexpected call from a supplier. The supplier claims there has been an urgent error in an invoice and requests immediate payment confirmation. The voice sounds familiar, the timing feels pressing and the request seems reasonable. Many organisations have fallen victim to scenarios like this because attackers design them to exploit human tendencies such as helpfulness, trust in authority and the urgency effect. These situations are deliberately crafted to cause hesitation or compliance, showing how psychological manipulation can be more effective than any technical exploit.
Psychology
Building the human firewall requires understanding psychology. Many organisations still threaten staff with disciplinary action for failing phishing tests, yet this approach discourages openness. When people fear blame, suspicious emails are quietly deleted rather than reported. Silence is what attackers rely on most. Human psychology is predictable: we respond to urgency, social proof and authority shortcuts. Attackers exploit these shortcuts to bypass technical barriers. Encouraging reflection, awareness and discussion about potential risks strengthens the human firewall more than fear ever could.
Take the case of MGM Resorts in 2023. The breach began with a simple phone call to the IT help desk. Criminals pretended to be an employee locked out of their account and convinced staff to reset credentials. Within hours slot machines went dark, hotel key cards failed and the company faced $100 million in losses. The breach succeeded through human trust and helpfulness rather than technical sophistication. Learning from such incidents allows organisations to refine protocols and embed a culture of vigilance.
Cybercrime groups such as Scattered Spider have refined these tactics. By studying how service teams operate, they know exactly what to say to sound legitimate. Caesars Entertainment fell victim to similar methods. Persistence and exploiting helpful staff were enough to bypass security controls. These incidents demonstrate how cybercrime often targets humans directly, leaving technology to play a supporting role. The patterns are clear: attacks are most successful when staff act without pause or verification.
Verification and training
The defence against such attacks can be surprisingly straightforward. When criminals attempted to impersonate Ferrari’s CEO using deepfake technology, a senior executive asked a simple verification question: “What was the book you recommended to me recently?” The impostors could not answer and the ruse collapsed. Training staff to pause and verify unusual requests is one of the most effective protections available. Simple verification techniques, reinforced through regular practice, create habits that make social engineering far harder to execute.
Cybersecurity training must be regular and engaging. Annual box-ticking exercises achieve little. Successful organisations create exercises based on real-world threats and focus on reporting speed and accuracy. Scenarios can include simulated calls from vendors, unexpected password resets or requests for client information. Rewarding vigilance and celebrating proactive behaviour reinforces the message that careful attention is more important than perfection. Staff who feel recognised remain alert and engaged. Involving teams in debriefs and discussions after exercises also deepens learning and collectively strengthen the organisation’s defences.
Leadership has a vital role to play. Executives and board members are prime targets and require tailored awareness that reflects their specific risks. When staff see leaders also going through cybersecurity training, buy-in rises. It demonstrates that cybersecurity is a shared responsibility embedded in culture rather than a technical IT problem. By modelling the behaviours expected from employees, leaders reinforce the importance of questioning and verifying before acting. Leadership involvement signals that vigilance is valued at every level, helping to normalise the behaviours needed to maintain an effective human firewall.
Cybersecurity is never static. Attackers innovate constantly which means training must evolve continuously. AI-driven threats such as voice cloning and realistic deepfakes are becoming more accessible. Criminals can create audio or video impersonations that are difficult to distinguish from reality. Continuous reinforcement of verification habits is crucial. Organisations that want resilience need to engage staff, execute training effectively and evolve programmes in line with emerging threats. Lessons drawn from real incidents keep awareness relevant and prevent complacency. Peer learning, discussion of near misses and sharing positive examples from within the organisation all contribute to a culture of sustained alertness.
Strengthen the human firewall
The human firewall strengthens not through fear but through confidence. When staff are empowered to challenge unusual requests and raise concerns, they stop attacks before they begin. Practical techniques include verifying requests verbally, escalating unusual instructions and consulting peers when something feels off. Reinforcing these behaviours with gamification, recognition and team discussion makes the skills stick and ensures a culture of vigilance. Staff who understand that the organisation will support their decisions are more likely to take proactive steps when confronted with suspicious activity.
The narrative that people are inevitably the weakest link misses the crucial point. Technology cannot always stop a convincing voice clone or a fraudster calling the help desk with insider knowledge. The decisive intervention comes from someone who has been trained to think critically, recognises risky behaviour and feels supported in raising concerns. Every major breach involves a moment where human judgement could have changed the outcome. By embedding awareness into daily routines, reinforcing it through repeated practice and rewarding proactive behaviour, organisations create a resilient workforce capable of meeting modern cyber challenges.
The strongest firewall is not built of code. It is built of people ready to defend the organisation every day.
Eduard Mouget is the Chief Information Security Officer, Group Enterprise Risk Unit at Republic Bank Limited