As businesses in Asia-Pacific face increasingly sophisticated AI fraud and hard-to-detect phishing efforts, many are seeking to develop a “human firewall” by training employees to be more adept at spotting suspicious signs in their e-mail or chats.
Yet, it is also a tough ask for staff who are already under pressure to perform their everyday duties within tight deadlines. That’s not to mention that the bad guys only need to get through once, while the good guys have to ward off all the attempts to infiltrate.
Businesses should not be chasing perfection, especially in today’s complex environment where work spans so many different platforms and formats, from e-mail to AI assistants, says Barry Chen, Asean director at cybersecurity firm Mimecast.
“The challenge is not that employees are careless,” he argues. “It is that the workplace has become more complex and less predictable.”
Organisations that have done well with a “human firewall” don’t expect their employees to be security experts, he tells Techgoondu in this month’s Q&A. “They build guardrails into everyday tools, provide simple prompts at the right moment, and encourage people to ask questions without feeling embarrassed.”
NOTE: Responses have been edited for style.
Q: Humans have often been the weakest link over the years. What is the difference this time that businesses should be aware of?
A: It’s essential that organisations protect their employees and help them avoid the errant clicks and decisions that can lead to major cybersecurity issues. But this is nothing new, it’s been very clear for years. What has changed is the environment around us.
Work now happens everywhere: across e-mail, messaging apps, cloud storage, shared documents, mobile devices, and increasingly, AI assistants. That means a single mistake does not just stay inside one inbox any more. It can spread quickly across multiple systems and even to external partners.
On top of that, people are moving faster than ever. There is more information, more collaboration, and more pressure to respond immediately. Attackers know this, and they design attacks that blend in with everyday business. A request for payment, a file-sharing link, a colleague asking for help – nothing looks obviously “bad” any more.
So, the challenge is not that employees are careless. It is that the workplace has become more complex and less predictable.
Today, the organisations doing this well do not expect people to study security manuals or slow down every time they receive a message. They build guardrails into everyday tools, provide simple prompts at the right moment, and encourage people to ask questions without feeling embarrassed.
The goal is not perfection. It is supporting people to make safer decisions without needing to be security experts.
Q: There’s been talk of a “human firewall” to ward off cyber attacks in future. How can this work when humans have so many soft spots that hackers can exploit?
A: It can, but only if we stop thinking of it as “training people to never slip up”.
Cyber attackers understand human behaviour incredibly well. They create urgency, impersonate senior leaders, appeal to helpfulness, and exploit trust. Those instincts are not flaws; they are what make workplaces functional. The mistake many organisations make is assuming people need to be “fixed” rather than recognising that the environment around them has long ago changed.
A human firewall works when people feel supported and confident, not judged or afraid to raise their hand. Traditional once-a-year training does very little for someone who is tired, juggling meetings, and suddenly receives a very convincing request that “needs to be done now”.
We see better outcomes when support is built directly into everyday work. That might mean a gentle prompt that appears when a message looks out of character, or a timely nudge that helps someone pause and think before acting. In higher-risk situations, it can also include an extra verification step when sensitive files are being shared, or an easy way for employees to quickly check something that does not quite feel right.
Just as importantly, employees must feel safe admitting mistakes. If someone clicks something suspicious and immediately says something, the security team can often contain it the issue before it spreads.
Silence is what causes real damage. Organisations should not create a cybersecurity culture of fear. The threat actors are the bad actors; the employees are the good guys who doing their best across a fast-moving and demanding digital landscape.
A human firewall is not about perfection or punishment. It is about giving people confidence, time to pause, and a culture where asking a quick question is seen as smart, not inconvenient.
Q: We know now that AI-generated phishing and deepfakes are often hard to detect. How have businesses responded to this threat?
A: AI has changed the game. Messages look authentic, voice deepfakes sound convincing, and tone can match internal communications almost perfectly. That is forcing organisations to rethink how they verify identity and trust requests.
We are seeing very different maturity levels across industries. Highly regulated sectors like financial services tend to be further along. They are combining identity controls and clear confirmation workflows for sensitive actions. Many also run simulations that include deepfake calls or AI-generated internal messages, so staff recognise what modern attacks look like.
But many organisations are still catching up. Policies exist, but they may not be consistently practised. Employees may know phishing is a risk, but they have not experienced how real and emotionally convincing AI-driven scams can feel.
The organisations moving fastest treat this as a business-wide responsibility. Finance teams, HR, leadership, and operations all agree on verification rules and escalation paths. It is not just the security team’s job any more – everyone has a role.
Q: What are the recent improvements in behavioural analytics that enable fewer false positives and accurately detect a social engineering attempt?
A: Behavioural analytics used to be about spotting anything unusual. Today, it is about understanding context, whether an action “makes sense” for that person in that moment.
For example, a late-night login might be normal for someone managing a regional team across time zones, but not for someone on the payroll team. A data analyst downloading large files may be routine; someone in procurement doing the same thing would raise questions.
Modern systems also combine signals. A login from a new device alone might not be a big deal. A login from a new device plus an unusual location plus a request to move funds? That deserves attention.
This reduces noise and builds trust. Employees are not bombarded with alerts, and security teams can focus on genuine issues. And critically, the system steps in only when risk increases – which reinforces good habits without slowing down legitimate work.
In a world where attacks increasingly target judgement and emotion, timely, contextual support for employees makes a measurable difference.
