The Value Of Building A Human Firewall

By Arun Kumar, Regional Vice President of APAC, ManageEngine

No matter how sophisticated cybersecurity systems may be, their effectiveness ultimately depends

on the people who use them. Common threats such as phishing and social engineering are often

deployed by cybercriminals, not because these systems are plagued by inherent technical flaws, but

due to human error.

According to Malaysia’s Cyber999 incident response centre, the third quarter (Q3) of last year saw

cybersecurity incidents jump from 1,623 cases to 2,020 cases, with 75% of 2025’s incidents involving

phishing.

As cyberattacks escalate, organisations across Malaysia, be they in the public or private sector, must

prioritise one of their strongest defences: their workforce. To build a robust human firewall, they

must put in place the foundations for informed and alert employees who are up to date with the

latest cyber risks and have the tools to respond effectively.

Make security training engaging and practical

Cybersecurity policies often look solid on paper, but their effectiveness is truly tested in everyday

situations. From opening emails to clicking links and following up on requests, these workday

situations are some of the most critical in cybersecurity, particularly because they are often

expected to be performed quickly. In these moments, habits matter more than knowledge alone.

Without regular reinforcement, even well-trained staff can forget what to look out for or how to

respond. That’s why organisations must shift from treating cybersecurity training as a one-off

requirement to making it an ongoing experience that shapes daily behaviour and decision-making.

Much like emergency drills, a single session is not enough to maintain a cyber-aware culture that is

prepared to withstand the consistent prodding of threat actors. Employees are more likely to retain

knowledge when they practise it. It is also necessary to incorporate realistic examples such as fake

invoices or urgent password reset emails with spoofed domains to better prepare teams for actual

threats.

Run simulations and encourage discussion

Even with strong awareness training, there’s often a gap between knowing what to do and actually

doing it in real situations. When faced with a convincing phishing email or urgent request, hesitation,

curiosity, or uncertainty can lead to risky decisions. This is another instance of why practice is

essential.

Just like fire drills prepare people to act quickly in emergencies, simulated cyberattacks help

employees build confidence and develop the right instincts. They also reveal behavioural patterns

that wouldn’t surface in traditional training, giving organisations a clearer picture of where

vulnerabilities truly lie. Phishing simulations are highly effective for both testing and educating

employees. They help identify individuals who may be vulnerable and allow organisations to provide

targeted training. However, the process shouldn’t end with tracking responses; open discussions are

equally important.

For example, consider a financial services company conducting quarterly simulations that found that

while most employees avoided clicking malicious links, some forwarded suspicious emails to

colleagues for confirmation. This revealed an additional training opportunity: recognising that

uncertainty should prompt reporting, not silence. Understanding how to respond is just as critical as

avoiding the threat itself.

Integrate security into daily culture

Effective cybersecurity programs are embedded into everyday activities, not isolated within IT

departments. They should appear in meetings, internal communications, onboarding sessions, and

casual discussions. Regular, relatable reinforcement keeps awareness high without causing fatigue.

Sharing real-world incidents and asking “What would we do in this situation?” helps make the risks

tangible.

After all, cybersecurity requires the whole collective pulling in the same direction. That also means

fostering a no-blame reporting culture because encouraging transparency is far more effective than

creating fear around making errors. Employees who accidentally click on a malicious link, for

instance, should not feel like reporting their error will cost them professionally. This will encourage

early reporting, which allows IT teams to respond quickly and limit potential damage.

Finally, simplifying processes helps users make safer choices. Implement tools like single sign-on,

password managers, and multi-factor authentication in a user-friendly way. The goal is to support

users, not overwhelm them. Clear guidance, visual indicators, and gentle reminders can make a big

difference. Even small features, like colour-coded warnings on external emails, can prompt

employees to think twice before taking action.

To build a human firewall, organisations in Malaysia must commit to an ongoing initiative to ensure

employee awareness keeps pace with the evolution of cyberthreats. Empowering staff to act as

frontline defenders, rather than vulnerabilities, enables the organisations to transform their weakest

point into their strongest safeguard. Cybercriminals rely on human mistakes but organisations will

Latest News

Must read