Despite the myriad of security solutions deployed, breaches are still happening. Even with the most robust security solutions it seems that we’re failing with the fundamentals, with ever more sophisticated hacks infiltrating and bringing down networks or resulting in compromised data.
For all the security solutions we can create, it’s people who are the first line of defence – but also the weakest link in the chain when it comes to your security defences. Isn’t it time, therefore, to step back and take a look at the way we approach security from the perspective of the end users?
Building security for people and the way they work is critical in protecting against data breaches. Asking them to jump through multiple security hoops to get their work done, and implementing solutions which don’t take into the account the way users interact with their devices in the cloud and mobile era means we are simply doomed to fail.
It’s users and their credentials that are targeted by cyber criminals through phishing attacks. It’s their re-used passwords that can be brute-forced. We need to ask ourselves, do solutions really take into account the way that users behave and what difference can a positive user experience with security make to an organisation’s overall security posture?
One of the issues is that security has often been approached as a bolt-on, or afterthought, resulting in more layers of security being added and more frustration for the end user. However, applying solutions – be it antivirus or firewalls or access controls – in this way, doesn’t solve the problems we face today. With more data and apps not only on the infrastructure we own, but also on third party servers, it’s harder to know exactly who is accessing what, and how.
Allowing access to applications involves two major issues: verifying the identity of users accurately, and ensuring their devices are secure, something that’s become increasingly difficult as employees use their own devices to access work apps and data from different locations and networks. This, however, is the reality that we must work around.
From threat-centric to usability-centric
There’s typically been a trade-off between enabling usability and security: the more an organisation secures its network, devices and critical data assets, the more restrictions we have to place on the end user.
Moreover, we’ve long placed the focus on protecting assets and infrastructure from the perspective of the technology mechanisms. Many solutions have been designed with highly technical users in mind, however security touches everyone across the organisation, across departments and across different user groups with a broad spectrum of different skills.
The result has been that security technology engenders a negative mindset from the perspective of the user. Security teams are perceived as inhibiting the wider user base from accessing apps they need or slowing down processes that would make them more productive, rather than as enablers of the business. There has perhaps been a tendency to point the finger at the end user when processes break down or policy violations occur, but if we don’t recognise the needs of the user when interacting with security technology we will forever be locked in a ‘block and blame’ cycle. We need to control access and protect critical data, but this needs to be considered in the context of how users interact with the technology.
For example, some security tools simply frustrate end users by blocking their activity or devices without providing any further explanation of why they have been stopped. Users are asked to remember multiple long and complex passwords which they need to keep changing and updating just to access their systems. They are provided with unwieldy user interfaces and asked to sign in with different credentials multiple times for different applications and separate systems.
No wonder then, that far from enabling workers, security slows them down and, at worst, means they are more likely to find smart ways to work around the solution, from unauthorised devices or using unsanctioned applications.
This is why security needs to be usable and generate a positive experience, or employees will find ways to circumvent it. The user interfaces should be intuitive, straightforward, and fit in with employees’ daily routines whilst being built around, and optimised for, the device they are using. If they are blocked from accessing apps, connecting devices or sending data, providing explanations as to why this is, is less likely to infuriate them.
This user-centric approach is about empowering workers to get on with their jobs securely, from whichever device they are using. Ultimately, security is about making us safe but we shouldn’t ignore the role that usability plays in this. It therefore makes sense that we build in an experience that works for the people who are interacting with it day in, day out.