Most security teams utilise a ‘prohibition approach’ – i.e. restricting user access to websites and applications – a tactic which is hampering productivity and innovation while creating major frustration for users, according to research conducted by Vanson Bourne.
“At a time when competition is fierce, the risk of falling behind and being less productive is as big a risk to an enterprise as cyberattacks. Security has to enable innovation by design, not act as a barrier to progress. Sadly, traditional approaches to security are leading to frustrated users, unhappy CISOs and strained relationships between workers and IT departments – all of which stifles business development, innovation and growth,” said Ian Pratt, President of Bromium. “This is unacceptable in a world where time to market is a vital driver for business success. We need to put an end to this catch-22 between security, productivity and innovation – things need to change.”
The research, based on a survey of 500 CISOs from large enterprises in the US (200), UK (200) and Germany (100), found that:
- 88% of enterprises prohibit users from using websites and applications due to security concerns; with 94% investing in web proxy services to restrict what users can and can’t access
- Unsurprisingly, these restrictions negatively impacts user experience: 74% of CISOs said users have expressed frustration that security is preventing them from doing their job and 81% said that users see security as a hurdle to innovation
- Worryingly, security could also be impacting customer’s relationships and deals, as CISOs report that they get complaints at least twice a week that work has been held up by over-zealous security tools
- As a result, IT help desks are spending an average of 572 hours a year responding to user requests and complaints regarding access to websites.
All this frustration is creating an uneasy relationship between IT, security and the user. 77% of CISOs said they feel stuck in a Catch-22; caught between letting people work freely and keeping the enterprise safe. A further 71% said that they are being made to feel like the bad guys, because they have to say ‘no’ to users requesting access to restricted content.
A new approach to security that brings all sides together
These figures suggest enterprises need a new approach to security. With revenue, reputations and share price on the line, those who look to new approaches to security will not only protect the business, but have the competitive advantage.
“The way security works today is broken. It is unacceptable that end users are making help desk requests just to download documents and access websites they need to do their job,” Pratt added. “It is also unfair that IT and security are seen as the enemy when they are simply trying to keep the organisation safe. But it doesn’t need to be this way. There is a way to let end users click with confidence while keeping the organization safe. It’s called application isolation.”
Application isolation puts the activities most often targeted by cybercriminals – downloading files, using applications, browsing the internet – into micro virtual machines. When these activities are initiated, the network is protected because malware is trapped inside the container. Restrictions on users can be lifted and employees can get back to work.
“This new approach to security transforms the relationship between the user and IT,” Pratt concluded. ”Now, instead of users calling IT to say there is a problem, they call to say they trapped some malware. Security teams congratulate the end user and then have the opportunity to extract and analyse the malware. This allows users, IT and security to work together to gather threat intelligence that protects the business at large.”