Is Your IT Security a Roadblock For Your Employees?Anirban Banerjee
Many employees feel like they are facing roadblocks in their workplace; barriers created by the increasingly stringent security methods required to protect today’s organizations from a wide range of digital threats.
And what happens when we meet a roadblock? We try to go around it – we seek an alternative route, a quicker and more effective way to reach our destination.
This is the challenge that many organizations face today: that the same barriers we rely on to protect our organizations from malicious outsiders can also prevent our employees from working effectively and efficiently. These busy employees then start looking for shortcuts, employing negligent behavior that may speed-up their everyday work, but at the expense of the organization’s security.
Is Your Employee Behavior Protecting Your Data or Putting It At Risk?
A great example of this is the way businesses store and give access to documents. If you don’t want your staff to store their company documents on personal machines or personal cloud accounts, you need to make it easy for your staff to access their files from any location. Many businesses make staff jump through multiple hoops to access the data they need, especially when they are offsite, and so it’s no surprise that many choose to break the rules and save files to their personal computers to save time.
Activities such as sharing files over social media, in personal cloud storage, or using USB sticks, are quick, easy, and dangerous. These files can be lost, or intercepted, and the potential cost to your business is enormous.
Poor passwords are also a significant problem; users tend to pick passwords that are short, obvious, and unoriginal, because people want something that is easy to remember and quick to type in. But easy to remember passwords are also some of the easiest to break. Popular choices such as “123456” or the name of their favorite pet are the first option for someone trying to gain access.
Many employees don’t understand the magnitude of the damage these shortcuts can cause – so it’s up to the IT team to make it as easy as possible for people to conform to best practice security.
Enabling Your Staff and Reducing Friction with Invisible Security
To properly enable your staff, your security needs to be invisible. When your staff need access and are sent a text message with an 8-digit code they need to enter, that’s not invisible security – it’s a roadblock.
Invisible security uses a variety of techniques to allow easy log-in without the hassle:
- Geofencing – Allowing access within a set geographical area.
- Geoproximity – Allowing access when the employee’s phone is close to their computer.
- Air Sign – Requiring a phone to be moved in a specific way as a form of password.
- Touch ID – Fingerprint scanning to identify the user.
- Behaviour – Allowing access based on user behavior, including access time and browsing patterns.
- USB key – Access allowed when a USB key is plugged in.
These techniques are used to identify the user without inconveniencing them, enabling them rather than slowing them down.
Which Authentication Technique?
The authentication techniques you want to use will very much depend on the situation and the user, which is why it’s important to have a variety of options.
For example, geofencing will be of limited use for an executive who flies around the world visiting different locations. You can blacklist some countries, but you can’t get too stringent without the need to make constant changes. In these circumstances, Touch ID may be the best choice.
If instead, you were creating a quick account to onboard a contractor, you may find geofencing is more appropriate, allowing them access when they are on premises but limiting or preventing access from other locations.
Seamless Adaptation Through Contextual Multi-Factor Authentication
In many circumstances, it is neither desirable nor practical to have a simple “yes/no” answer to access. More and more employees are working on the road or from home one or more days a week, and they need secure access.
Contextual MFA (multi-factor authentication) measures risk and allows access based on a series of rules. For example, you may wish employees to have limited access outside of their workplace, so rather than preventing access when they are outside their geofence, it is just limited.
Or perhaps a user has logged in and appears to have the right credentials, but is displaying unusual behavior, trying to access files they would not usually access, and at a late hour. In this case, the system should flag them up as a potential threat and limit their access to critical files (or completely) until their identity has been confirmed.
Implemented correctly, invisible security doesn’t just break down roadblocks – it empowers your staff and protects your assets.
Easier Rollouts and Reduced IT Support Calls
Delivering an invisible security solution is not just a benefit to every day staff, but also to your IT team who work hard to ensure everyone has appropriate access. Rollouts and training because you’re providing a solution that enables people, rather than slowing them down.
And because your staff aren’t using passwords, your support team won’t be weighed down by all those “I’ve lost my password – help!” calls that can take up so much of your staff’s time. This time saved enables your team to focus more on delivering strategic improvements than fire-fighting.
Also published on Medium.