How to find the middle ground between efficient cybersecurity protocols and usability
Top-notch cybersecurity controls and protocols are critical in maintaining secure business operations — especially following the global transition to remote work. The complexity of managing cybersecurity outside office walls is partially responsible for the 600% increase in cybercrime since the start of the COVID-19 pandemic.
But enforcing ever-stricter protocols on employees to bolster security in a remote environment may have diminishing returns. When employees become tired of multi-factor authentication, timed-out sessions and constant password updates — or find that these measures keep them from doing their work — they’re likely to navigate around protocols, placing sensitive data at risk. More than half of employees have had to work around security policies to efficiently complete their work.
This non-compliance might not seem significant, but it leaves your systems much more vulnerable to cyberattacks. Finding the middle ground between security and employee usability in security protocols is critical in minimizing this risk.
The Risks of Noncompliance
Cybersecurity isn’t a new issue, but the transition to remote work has made it even more difficult for IT leaders to maintain secure operations. A recent study indicated nearly half of employees are less likely to follow security protocols while working from home, including practices like the use of personal devices for work activities, connecting to potentially insecure networks and sending work emails from personal accounts. Many of these employees said they feel like they can take additional risks because IT isn’t watching what they’re doing when they’re working from home.The use of unapproved devices and software outside an organization’s ownership or control, also known as shadow IT, is one of the most pressing issues facing IT professionals. If a remote employee experiences IT issues, switching to their personal laptop is more efficient and convenient than waiting for a response from IT services. While these shortcuts may seem harmless, even minor non-compliance with protocols can significantly increase the risk of data breaches — especially as cybercriminals’ tactics are becoming more sophisticated.
Even unintentional mistakes are more difficult to manage if they occur on a personal device. If an employee clicks on a phishing email from a corporate machine configured with cybersecurity software, IT services can easily detect any downloaded malware and, if necessary, wipe the device. But it’s potentially outside the scope of corporate’s legal responsibility and authority to do the same with employees’ personal devices.
It’s critical for employees to be aware of — and compliant with — company cybersecurity protocols to avoid these incidents. To eliminate instances of shadow IT and other navigations around protocols, you need to ensure your practices are both effective and convenient for employees.
3 Ways to Balance Security and Usability
Given the surge in remote work, it’s critical to educate employees on the importance of cybersecurity as well as your organization's best practices and protocols. To avoid navigation around protocols, you need to find the middle ground between strict security and employee usability. Employee training, end-user-friendly security measures and cross-functional teams can help you achieve a balanced security posture.
- Prioritize employee training.
While compliance can’t fully prevent security incidents, educating employees on the importance of cybersecurity and your organization’s best practices can help reduce some of the risks involved. You need top-down communication to enforce — and reinforce — practices and policies until they become second nature to each employee at your organization. Also, ensure your company’s policies are clear and accessible so employees always know where to look for information about security.
- Annual trainings, as well as consistent micro-trainings throughout the year, are critical in reinforcing protocols. According to the FBI’s Internet Crime Report, phishing was the most commonly reported cybercrime in 2020. Reduce these incidents by running phishing tests to gauge employees’ knowledge — you can use online tools to create fake phishing emails. For example, you could craft an email that is seemingly coming from your company’s HR department about a luncheon to see who clicks on the link in your email. Based on the results, you can determine which employees need additional training or tighter security controls on their devices. Any cybersecurity training is valuable, but it will be significantly more effective if the information is continuously reinforced.
2. Implement end-user-friendly security measures.
There are many cybersecurity measures you can implement that involve no action from end-users. For example, you can install security filters to intercept phishing emails, so they never reach employees’ inboxes. There are also AI-based solutions that can detect whether employees are potentially sending an email to the wrong user or someone outside the organization, and flag potentially harmful emails to train employees to use extra caution.
Other measures reduce friction within your existing cybersecurity protection. For example, implementing conditional access policies saves users from completing multi-factor authentication every time they sign in. For example, a location-based conditional access policy will only require a user to verify their credentials if the network detects they are logging on from a new device in a different location.
3. Establish a cross-functional team.
If security measures present too much of an inconvenience for employees, they’re going to find a way around it or find an insecure way to complete their work. For the strongest operational security, IT and security professionals need to communicate with the organization’s end users. Even though 97% of IT decision-makers said that employee experience is a significant factor in their security strategies, the existence of cumbersome security measures shows there is room for improvement in collaboration. To address the problem, my organization incorporated a security steering committee in which the IT and security teams receive feedback from employees in various departments to help guide IT decisions. This strategy helps us create and implement security measures that are effective, usable and convenient.
Protecting your organization against cybercrime is critical, but it requires compliance from every member of your organization. Educating employees and implementing measures that aren’t a hassle to employees — without sacrificing security — is key to securing your business’s operations.