Your firm has firewalls. You have antivirus software and a bunch of other security tools. You probably even have multi-factor authentication enabled. But here’s the problem: nearly 95% of successful cyberattacks are attributed to human error. That means the most sophisticated security stack in the world can be undone by one distracted click on a Tuesday afternoon.
Attackers know this. They’re not spending their time trying to crack your encryption. They’re waiting for you to be tired, overwhelmed, and running on autopilot. They’re betting on the fact that when you’re juggling client deadlines and back-to-back meetings, you won’t take five seconds to question that “urgent” email from your “CEO.”
Want to increase your cyber defenses? You don’t need to install anything new. You don’t need to change your systems. You just need to build a few simple habits that transform you, and everyone at your firm, into the human firewall.
Here are five habits that attackers desperately hope you skip.
Habit 1: The 30-Second Pause
his is the single most powerful habit you can develop, and it costs you nothing but a breath.
When you receive an email, text, or phone call that asks you to take action, click a link, open an attachment, transfer money, share credentials, stop. Just stop for 30 seconds.
In that half-minute, ask yourself three questions:
- Was I expecting this? If you weren’t anticipating this request, that’s your first red flag.
- Does something feel off? Unusual tone, weird formatting, or a sense of urgency that feels manufactured? Trust your gut.
- What’s the worst-case scenario if I wait on this? What’s the worst-case scenario if I do nothing? Scammers rely on quick action. Real requests survive a delay.
Attackers rely on speed and emotion. They craft messages designed to trigger an immediate reaction. The 30-second pause breaks that cycle. It moves you from reactive to thoughtful. When you’re billing 60 hours a week and running on caffeine, intentionality is your best defense.
Habit 2: Go Direct to the Source
Instead of clicking links in notifications or alert emails—especially anything that feels unexpected or pushy—manually type the website address into your browser or use a saved bookmark. This bypasses fake links entirely and keeps you from a suspicious URL.
Attackers love hiding behind lookalike domains and “security alert” messages because a single click can send you to a convincing phishing page (a fake login screen designed to steal your password). Going direct cuts them off at the knees.
If the message is legitimate, you’ll see the same notification after you log in the normal way. If it’s malicious, you just avoided handing over your credentials. That single move reduces the risk of account takeover without slowing your day down.
Habit 3: Question Urgency
“This needs to happen TODAY.”
“I’m in a meeting and can’t talk: just handle this now.”
“Your account will be suspended unless you act immediately.”
These phrases should immediately raise your suspicion. Urgency is the oldest trick in the attacker’s playbook, and it works because it bypasses your rational thinking and triggers your fight-or-flight response.
Legitimate requests rarely require you to abandon your judgment. Your bank won’t threaten to close your account if you don’t click a link in the next hour. Your CEO won’t ask you to buy gift cards and keep it confidential. Most vendors won’t demand immediate payment via wire transfer.
When you feel rushed by a request, that’s precisely the moment to slow down.
Attackers create urgency because they know that a calm, thoughtful person is much harder to deceive. Refuse to let someone else’s urgency override your judgment.
Habit 4: Log Out, But Leave It On
At the end of the day, log out of your user session but leave the computer powered on. This allows the system to run critical security updates and patches overnight while you sleep, so they don’t interrupt your work the next morning.
This matters because updates often need time to download, install, and finish background tasks. If your computer is always powered off when not in use (or you’re still logged in), those updates can get delayed—or hit you at the worst possible time during business hours.
That simple change shrinks your vulnerability window and keeps your mornings focused on work instead of waiting on updates.
Habit 5: Verify What Matters
Treat email as just email for basic communication. But the moment a request involves clicking a link, replying with sensitive information, or moving money, you MUST verify it through a different channel before you take any action.
That means you pick up the phone and call using a number you already trust (not one in the message), send a separate text, or confirm in person. This is out-of-band verification (a second path of confirmation) and it shuts down the most common social engineering attacks because the attacker can’t control both channels.
Use this rule every time:
- If it’s routine conversation, email is fine.
- If the conversation turns to links, credentials, financial changes, wire details, payments, or client data, verify first.
That extra 60 seconds reduces the risk of credential theft and fraudulent transfers, and it prevents small mistakes from turning into big incidents.
Building Your Human Firewall
These five habits won’t make you invincible. But they will dramatically reduce your risk of becoming a cybersecurity casualty: and they won’t add a single piece of software or cost you a dime.
Here’s a quick recap:
- The 30-Second Pause before acting on any request
- Go Direct to the Source by typing the website address or using a bookmark—no clicking suspicious links in alerts
- Question Urgency and refuse to be rushed into bad decisions
- Log Out, But Leave It On so updates can happen while you sleep without interrupting your work
- Verify What Matters for anything involving money or sensitive data
We’re Here to Help
At Frankel Technology Services, we work with professional services firms every day to build stronger security cultures: not just stronger security systems. If you want to talk about how to reinforce these habits across your organization, or if you’re concerned about a specific threat you’ve encountered, let’s have a conversation.
Your technology should work for you, not against you. And your team should feel confident, not anxious, when they open their inbox each morning. That’s the goal we’re working toward together.