It is widely agreed that employee buy-in and the adoption of a security culture within organizations is critical to maintaining good information security. Sadly, it appears that many employees are not on board with incorporating secure practices into their work life. This is curious, given that their livelihood depends on the success of their employers. A few years ago, I,would have suggested that this was the result of a lack of communication on the part of the employer. While that is probably still somewhat true today, employee training and communication in this area have significantly improved.
In Context Aware Security, a study conducted by Dell involving 460 IT professionals and 301 end users, a huge majority, 91%, said they were negatively impacted by their employer’s security approach. Could it be that simple, with our employees really wanting to help, and us making it hard for them to do?
Having been the head of information security for a variety of companies, I would have to say honestly that employee convenience has never been at the top of my priority list when deciding which security measures to implement. Based on my experience and mindset, tight security has always been king, with user convenience barely making it as part of the royal court. While I have myself improved in this area, I am still a bit convicted by the above statistics.
While I would never compromise security to make life more convenient for people, given the importance of user participation, it is reasonable to find areas of middle ground where possible.
If you are struggling to balance user convenience with security, consider the following ideas:
Information security should be incorporated into every job description, regardless of position. Every employee has to take responsibility for security, so their job descriptions should reflect that. By the same token, this is a reminder to managers that time has to be allotted in each employee’s work day to meet these requirements, as we would for any other element of the job description. If we try to impose many additional time-consuming restrictions on an otherwise busy employee base, something will suffer, and security is the likely victim.
Tools and automation
There are a variety of automated approaches and tools that can help make the user’s life easier. One of my favorite is single sign-on. This approach allows for a coordinated login to multiple systems. This must be done carefully, because poor implementation can inject additional security exposures. Given that, according to Dell, 87% of users have to remember multiple user name/password combinations (most report having two to five combinations, with some reporting that they use more than 10), single sign-on can be of real benefit. The right tools can make the user experience even better. I am a fan of identity management products that allow the user to log in to multiple systems from a single Web interface, my favorite being Okta. Since these tools can also be used to automate adding and removing users as well, administrators quickly become fans themselves.
If we truly want to have our users be full participants in the security process, we can help them by providing the best possible support when they have security-related help desk issues. I think lost passwords are a good example of an area for improvement in support. I have been guilty myself of being grumpy with users who forgot their password. At the same time, if we require frequent password changes using inane combinations of characters, lost passwords are inevitable. We can help by being understanding, friendly and quick to respond. There is little more frustrating than having work to do, and being unable to log in to do it.
We cannot expect users to be partners in the security process if they don’t understand how. In my experience, security training is too often done to meet an audit requirement, instead of intending to really help the users to understand the risks and solutions. We can help by providing good-quality and engaging training materials. As a matter of policy, I never put a user through security training that I have not been through myself. It also helps to offer the training at their convenience, the easiest approach being the use of online training products. In my article "Thanks for all the phish," I mentioned a product from eLearning Corner that I found to strike the right balance between information and user engagement.
Bottom line: We too often see our users as security adversaries rather than partners. A simple change in mindset can result in a measurable improvement to corporate security. This mindset change may be the most economical change we can make to improve security.
This article is published as part of the IDG Contributor Network. Want to Join?