HOW TECHNOLOGY BASED SECURITY SOLUTIONS ARE INHIBITING PRODUCTIVITY
Installing technology based solutions often seems to be the first action to take in defending your organization against cybert security risks. Still they are not the only en best actions to take.
We’re not suggesting that IT decision makers are doing nothing to defend their businesses from insider threats. No doubt many of the people reading this will have invested significant sums of money in technology for that exact purpose. However, when security solutions slow down or restrict employees, they will find work-arounds to avoid or bypass locked-down IT processes. Security managers have noticed a variety of security-compromising bad habits that employees regularly display.
This suggests that employees aren’t malicious in their bad behavior. Rather, they simply cut corners to speed up their own productivity.
Generally, employees want to be productive and responsible at work. But these two are not always complementary goals. When workers are faced with security measures that seemingly hinder their efficiency, they’ll use shortcuts without considering the security risks. What’s gained in a few minutes of extra productivity then opens the door to threats. And while some privileged access management solutions address such bad behavior, many don’t go far enough. What’s needed are solutions that prioritize both productivity and usability. A solution that can be seamlessly integrated into the applications and processes that employees already use will not only promote good security behavior, but ultimately keep organizations safe.
PEOPLE AND PROCESS
Technology is just one component of handling security risks, people and processes also have a significant role to play. While businesses are generally good at adopting new technology, they often struggle with deploying and evolving security processes and training.
Only around half (54%) of organizations conduct annual training to keep insiders aware of security processes and, shockingly, only 53% include this training as part of induction for new employees. One must ask the question: if an employee hasn’t been trained to know what a threat looks like, how will they be able to protect themselves?
FIVE WAYS TO DEAL WITH THE SECURITY RISKS
To truly defend businesses from threats, a variety of approaches can be adopted:
1. ENFORCE ‘LEAST PRIVILEGE’ AS THE STANDARD
Instead of giving users all-or-nothing access, privilege must be granted based on specific user needs and scenarios. A solution needs to allow for different levels of individual access, with a broad scope for what that means. You should be able to control access based on, for example, function, team, vendor, location, time of day, and more.
2. CONSIDER THE USER EXPERIENCE
Security solutions need to be usable. Access to systems should be granted in seconds, while still providing all of the checks and balances to mitigate threats. Security teams can’t slow things down in the name of security as this risks productivity and insiders will find riskier work-arounds. Give people something that’s easy to use, and that fits (or even improves) how they do their day-to-day jobs. This approach requires security and IT professionals to involve end-users in the early stages of designing new policies or selecting new technology.
3. IMPLEMENT SEAMLESS WORKFLOW PROCESSES
Companies don’t have large teams to manage access rights for the growing number of privileged insiders and vendors. Solutions to grant and revoke privileged credentials and permissions need to be easy to administer and use, and integrate seamlessly with existing environments.
4. MONITOR, RECORD AND ANALYZE BEHAVIOR
As the environment becomes more complex, technology can help you comply with regulations requiring that all activity and behavior is monitored. You should be able to identify every individual that accesses sensitive systems and what they are doing, as well as sound the alarm if they are doing anything malicious. All of this information needs to be recorded so there is a clear audit trail.
5. REVIEW POLICIES AND TRAIN PEOPLE REGULARLY
Technology can help make security easier, but it is just one aspect of the entire solution. People and processes must support this too. Review your security policies often, and make sure new and existing employees are trained on them on a regular base. Each employee or contractor needs to understand how their day-to-day actions can help protect the business from threats. Be sure to maintain the security knowledge of your employees by implementing a security awareness program supported by e-learning and the Security Awareness App.
Parts of this blog are based upon a report published by Bomgar.