Finding a better balance between tighter security and creating better user experiences.
"Hybrid work, a proliferation of ransomware variants and rampant social engineering scams have made information security even more complex in the post-pandemic world than it was at the start of 2020. For many IT managers, the intuitive response is to take an even harder line on information security policy for the decentralised workforce. Yet this approach could be counterproductive in the longer term." Alan Hawkins, General manager, cyber security and software, Tarsus Distribution
This response is understandable, given that end-user complacency or ignorance is often the weakest link in information security. A 2021 enterprise survey conducted by Mimecast found that 52% of South African respondents said that employee naiveté about cybersecurity is one of their greatest threats. The survey found a global 64% year-over-year increase in threat volumes.
Yet despite their awareness of how end-users can be the vulnerability in their security armour, nearly half of South African respondents conduct cybersecurity awareness training only once a quarter or less. This indicates that many businesses are still not approaching enterprise security as a true partnership with their end-users.
A top-down, untrusting approach hampers productivity
Indeed, a top-down, rule-based, untrusting approach towards information security prevails in many companies. This dictatorial approach is about telling people what they can’t do and restricting what they can do, along with numerous tools designed to catch them out when they don’t comply. It erodes mutual trust and creates a culture of blaming and shaming.
Even worse, the net result is often that the security processes, systems and policies the organisation puts in place can impede the end-users technology experience and their ability to be productive. In extreme cases, there may be so much friction that end-users will feel compelled to circumvent company security so they can get their work done. There are better ways to go about it.
Adopt technology that removes friction from the end-user experience
As paranoid as it sounds, the principle of zero trust is a great help in empowering end-users. Zero Trust always verifies each request as though it originated from an uncontrolled network rather than assuming everything behind the firewall is safe. Many of its foundational principles and technologies remove friction from the end-user experience.
Much of the verification of the user’s identity and device health can be done behind the scenes, so they can work without hindrance. For example, with a move away from a trusted network model, a company can consider ditching the clunky VPN. Paired with a move towards passwordless authentication—leveraging biometrics or smartphone apps—this can help make security less intrusive for the end-user.
Teach and trust your people
Technology is helpful, but culture is even more important. Businesses can nurture trust and cooperation by working towards an approach of empowering and enabling. In such an environment, companies will focus on helping end-users understand why certain restrictions exist and partner with them to achieve successful outcomes.
When done well, this can help build an empowered, motivated hybrid workforce that has access to the tools it needs to get the job done—and that is ready to work with IT to protect the business.