Let user experience guide your security requirements

If you’re like most business leaders, you try to do everything you can to keep your company’s information safe.

You tell your employees to use strong passwords and offer regular trainings on phishing and the importance of internet security. You even make them change their passwords every six months or three months.

Although you know no system is foolproof, your rules should be as strict as possible in order to prevent a breach. Or should they? Evidence shows that stringent security measures can actually backfire, and can leave you more vulnerable than you were before.

The problem with passwords

In a recent survey conducted at the South by Southwest (SXSW) conference, researchers found that 83 percent of millennials value convenience more than safety, and nearly 60 percent value their time more than safety.

This human desire for convenience often results in shortcuts when it comes to password security. A 2017 Members Equity Bank study found that 89 percent of people use the same one or two passwords over and over for multiple sites. Taking that into consideration, making people change passwords frequently doesn’t do much good since many simply add a number or letter to the last version.

The fact is, a lot of people — especially digital-native millennials, who became the largest share of the American workforce in 2015 — are fed up with complicated passwords and security hoops. It’s not that they don’t care about security. Everyone’s seen the steady stream of headlines about breaches. The problem is, people are busy at work and don’t feel the value of the time it takes to remember four or five different passwords just so they can log onto the apps they need to do their job.

Further, chances are they’ll forget these passwords, too. When that happens, they have to send a ticket to IT and wait for a reset. In the meantime, the boss is drumming their fingers on the desk, waiting for the deliverable that was supposed to be finished an hour ago. For a user, it’s much easier to add a “6” to the same password they usually use.

Of course, your organization can set your system to only accept complex passwords that are substantially different from previous ones, but good luck with that. When you walk along the rows of desks at the office and you’re likely to see the “sunflower effect,” a collage of yellow sticky notes lining walls and computer terminals where beleaguered employees have written down their latest impossible-to-remember passwords.

Everyone wants the company to be secure, but the user need for convenience is a fact of life. In addition, many of today’s workers grew up with user-friendly consumer devices and have similar expectations for work technology. Instead of trying to fight them, why not meet them in the middle?

Making security user-friendly

Though ‘user-friendly security’ may sound like an oxymoron, today’s technologies go a long way towards making it possible.

Having a strong identity and access management policy is the key. You can determine in advance which apps and sites each employee needs to do their work. From there, it’s just a matter of confirming their identity to grant them all the access they need for the entire day.

One way of doing that is through biometric scanning, which has gotten much easier than it used to be. Many devices are now equipped with face, fingerprint, iris, or hand scanners. These unique identifiers allow you to be less reliant on passwords. The verification of those identities is more secure, and you don’t have to worry about them being stolen.

Once an employee logs on anywhere through biometric scanning, the access management policy kicks in. It knows exactly which databases and sites a particular worker has the right to visit, right to edit, or which are completely off-limits. The employee can glide through the rest of the day without ever entering another username or password, no matter how many apps are open.

Do your employees badge in when they enter the building?

If so, the process can be even simpler. Through geofencing, they are essentially logged in when they swipe their badge. As soon as they turn on a laptop or connect their phone to WiFi, the identity and access management system recognizes them, and they’re good to go – no passwords necessary.

Easier for customers

You can also use identity and access management for your customers. If you ask a customer to change their passwords every six months or set up separate passwords for multiple accounts, they’re likely to flee to a competitor who doesn’t. Instead, you can use biometric scanning — or other forms of multifactor authentication, such as text messages or tokens — to verify their identity and grant access in one fell swoop.

With today’s technology, there’s no reason to use overly stringent security measures that are likely to backfire. With a solid identity and access management policy in place, your company’s data is more secure and your employees and customers experience less hassle.