IT Support wants to help your business, but most of the time, they don’t understand why adding more steps, longer passwords and heightened security policies often leads to insecure and ineffective security.
By implementing too much computer security— by putting too many computer security controls in place—many enthusiastic IT Support teams have actually burdened to users to the point where they no longer even use IT Security!
Instead of crippling users with multiple access passwords and other controls inhibiting them from getting their work done—along with specific restrictions that may actually hinder productivity— users mostly will likely try to bypass security policies and actually put your business at more risk of a cyber threat.
With only 8 hours in a day most of the time, your workforce needs to be encouraged and enabled to be productive. But with IT Security bogging down productivity, many workers end up resorting to unsafe practices simply to get tasks done (tasks that you expect them to complete, but have not been because of added work relating to security policies implemented without your users in mind).
The problem that I want to talk about today is how to effectively implement IT Security strategies to completely support users to stay secure while maintaining productivity. Specifically, I want you to understand how to implement practical security into your environments.
What is practical security?
I advocate for practical IT Security. That is, security that enables workers to get their work done, while keeping your business and your sensitive data safe. The problem, as I’ve alluded to above, is that most security policies and best practices are defined in a vacuum free of actual workplace environments, devoid of necessary or required tasks outlined by managers or critical tasks outlined in job descriptions.
Most often, IT Security is conceived and implemented by people that don’t understand your business’ values and objectives, nor does this IT Security keep in mind how users tend to work.
I call this “Do What I Say” security. Some IT Security officer demands that everyone comply to a laundry list of security policies simply ‘because they said so’, NOT because those security measures will be good for the business, outside, perhaps making their own lives easier.
Most security frameworks DON’T keep the user’s best interest at heart. They simply are put together thinking about what technical mastery could keep the ‘bad guys’ out. But in the process, they fail to keep workers productive.
Practical security, on the other hand, gets users to complete their work, have confidence in their IT Support team, and enables workers with the knowledge of how to mitigate important security concerns—and protects them from those concerns—while allowing for ease of work.
A simple example?
When most of us think about security, you might think about passing through that airport metal detector.
What is its goal?
To make sure no one is brining restricted items onto airplanes, in effort to create a safer environment for travelers. More often than not, passengers miss their flights when security checkpoints get overwhelmed. Complaining passengers and over-burdened security agents lead to laxer policies (or at least inconsistent policies) when lines get too long.
These security checkpoints make us all agitated, annoyed and keep us from fulfilling our mission of boarding a plane and getting to our conference, vacation, or desired destination.
Are security lines practical?
Some may say “Yes”. Their role, at minimum is to make us all feel safer and by doing so, they are a practical necessity in modern day air travel. But if you were to ask passengers if they like waiting in long lines with the potential of getting frisked or bags completely searched, I’m sure you’ll find several that don’t understand why they have to go through such annoyances just to go on a short vacation to family visit.
Many may say that there are several inherent impracticalities in airport security because the security is not enabling passengers to be better directed, on time for their flights or motivated to go through the entire security process of hurry up to wait the next time they have to fly.
‘Airport Security Line’-type procedures are too often visible in IT Security.
These same disgruntled feelings are constantly affecting your users when it comes to IT Security barriers. The problem with airport security, as user security, is that often, the passenger or user is not kept in mind when policies and procedures are enacted. Rather, someone tells everyone else how things are to be done, without a solid understanding of individual experience.
Now, luckily for airport security, we all see a greater good of staying safe and secure as we board our planes and don’t mind some occasional annoyances by long security lines. But if you had to face the same barriers day in and day out—as many users do with the wrong types (or at least misapplied types of IT Security), you might think twice about security policies.
How are users disenfranchised and left to risk business IT Security if misapplied?
Because most of IT seems black and white to IT administrators, users often jump through hoops or barriers to comply with company security policies to get their work done. Most often, usability under these strict security policies that haven’t considered work flow or user behavior will deeply counteract business objectives and will eventually put business security at risk.
Justa couple of examples of when IT Security becomes more of a hurdle than a good:
Your antivirus isn’t updated—let’s say IT Support requested access to your computer after 5 pm last night. They wanted to update your antivirus because their policy prohibits computers without the latest anti-virus onto the network.
Because you had a big report due at 10 am this morning, you decided to forego the anti-virus updates and work on your computer off network.
When you get into work the next day, stressed and in need to connect to print your report by the deadline—5 minutes away. Instead, when you try to log in, you’re thrown in quarantine and warned that your computer needs the latest update. You miss your deadline because of this policy.
Windows isn’t updated properly—because you missed another scheduled maintenance window, your computer does not comply with your company IT Security policy. Until updates are properly installed, you’re kicked off the network. You scramble to figure out the updates yourself (because IT Support isn’t around to help by your deadline).
You’d probably have to spend at minimum 15-20 minutes trying to log onto the network every time an update came out to the security policy on mandatory computer updates or configurations.
Now let’s say you have to get payroll out by 2 pm this afternoon. Or let’s say you needed access to data on the network to finish a report for the CEO.
Security experts have actually found that strict mandated security policies that don’t consider practicality of worker usability end up leading to greater security threats.
55% of users say that they would find ways around IT Security roadblocks!—like the couple examples mentioned above. How? By shifting temporarily onto unprotected networks or finding workarounds to the system. Some of your users are probably finding workarounds if IT Security is inhibiting them from getting their reports to you, or if security policies are keeping them from doing their jobs.
The take home? Businesses desperately need practical security solutions that enable workers to get their work done!
Is Your IT Security keeping your users safe AND productive? Or is it a roadblock from getting work done and making it so impossible for your users that their circumventing it? Consider getting a FREE security assessment to identify practical IT security practices.