Security

How to improve security without treating your users like criminals

Strong security controls will protect your organization, but they may also hinder or annoy users. Here's how to walk the line between security and user accessibility.

Applying cybersecurity principles within an organization is of critical importance. However, it can be a double-edged sword depending on how you proceed. If your controls are too restrictive and punitive your users will resent jumping through hoops, or may even seek ways to circumvent those controls.

On the other hand, if your policies are too lenient, you run the risk of exposing the business to harm, and putting your company and its confidential data (and perhaps your own career) in jeopardy.

Here are some first-hand perspective tips on how you can work cooperatively with your users to build appropriate security procedures without interfering with their work—or worse—making them feel like criminals.

SEE: IT physical security policy (Tech Pro Research)

List of do's

  • Do establish and publicize clear and concise security policies for users to follow. Tech Pro Research offers several examples such as for Information Security, Network Security, Information Security Incident Reporting and Mobile Device Computing.
  • Do provide positive incentives for understanding and cooperating with these policies. Examples can include recognition, prizes, or lunch/snacks/ice cream.
  • Do explain what threats are out there and how to use common-sense measures to avoid them.
  • Do explain why specific restrictions or controls are in place and what you hope to achieve by such requirements.
  • Do implement sophisticated technological monitoring and alerts to notify you or your cybersecurity team of inappropriate access attempts, unauthorized transmission of confidential data, usage of prohibited applications, and other security threats.
  • Do formulate an incident response plan and make sure to cover in-house and remote employees and locations.
  • Do give second chances (where appropriate; obviously a second attempt to deliberately steal confidential information would be out of the question), and be flexible.
  • Do provide 24x7 contact information for the cybersecurity team, and encourage users to contact them with any issues or questions.
  • Do remind employees that the cybersecurity team is there to protect both them and the business, and should be seen as strategic allies not law enforcement.

List of don'ts

  • Don't punish employees for ignorance. User education is the responsibility of the cybersecurity team.
  • Don't "stalk" employees by popping up unexpectedly to ask "What are you doing/why are you doing that?" unless there is a legitimate risk involved.
  • Don't bombard users with constant notifications or emails, which they will eventually tune out or not take seriously.
  • Don't impose draconian measures, which require an inordinate amount of hoops for user compliance.
  • Don't lock down systems, applications, or web access to the point that employees cannot do their jobs effectively.
  • Don't implement half-built or unreliable mechanisms, which will fail to provide users the access they need. For instance, a two-factor authentication environment which refuses to accept valid answers to security questions.

Best practices for companies

SEE: Security awareness and training policy (Tech Pro Research)

I spoke with Keith Graham, Chief Technology Officer at SecureAuth + Core Security about the topic and to seek some specific examples of good cybersecurity.

Graham said that the best approach to delivering security alongside of functionality is to simplify where possible. "Don't make users adhere to a complex password reset process or require them to provide a second factor when there is no reason to (i.e. no risk is present)," he said. "This causes user frustration and an impact on productivity, as well as cost to the business with calls to the IT help desk."

Graham recommended using modern techniques that fit the business and bring together identity and security. Approaches such as adaptive access control allow organizations to better protect, discover, and respond to credential misuse more quickly.

We discussed best practices for companies to encourage users to follow security guidelines without feeling like they're being penalized, and Graham reiterated that educational investment and staff training, anticipating potential disruptions to employees' daily routines, and fears of system failures must be addressed to get users such as employees and partners to follow security guidelines.

"Employees should be aware of the benefits from the start," he said. "With adaptive access control, most will celebrate the streamlined experience, fewer login processes per day, no hard tokens, and reduced downtime from waiting for multiple password resets or contacting IT support.

"This, coupled with a comprehensive roll-out strategy by the business, should ensure that employees are on board and engaged from the start."

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Then we tackled how to reduce frustration with onerous security practices (i.e two-factor authentication, security questions, and the like). In Graham's experience, the best method to maximize security while reducing friction is to analyze risk at the point of user authentication without hindering the user experience. Such methods include: geographic location analysis, device recognition, IP address-based threat services, and phone fraud prevention. These can make security transparent by validating authentic users while blocking attackers trying to use compromised credentials.

To wrap up, Graham recommended prioritizing the most flexible security solutions with the most potential instead of relying on quick fixes.

"Choose integration-friendly solutions that maximize existing security investments from a vendor who can be a partner in both security and compliance. Only then will you achieve an accurate, holistic view of all security threats and save considerable effort in compliance audits. Compliance and security should not be considered one and the same," he concluded.

Also see

istock-network-security.jpg
Image: NicoElNino, Getty Images/iStockphoto

About Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

Editor's Picks

Free Newsletters, In your Inbox