How can we improve adoption and ROI on security investments?

Traditionally, whenever employees are required to interact with security solutions, they push back because they don’t want their lives to be made more complicated with extra procedures and, essentially, clicks. Human behavior dictates that if there’s a tech roadblock, users will find a way around it to get their jobs done. In light of these work arounds, organizations often struggle to quantify how to reduce risk and improve compliance, which makes it harder to prove ROI for security investments.

While this is unfortunately applicable to too many security technologies, we’ll illustrate how businesses can balance the need for strong security with employee convenience and ease of use through the spectrum of email encryption.

Data security use cases

The idea of data security isn’t new, but its overuse can create impediments to work – which often causes the pushback mentioned earlier. Finding a balance between securing data with the right level of protection and ease of use will help improve tech adoption, while removing the need for self-implemented workarounds.

While there are many security tools available to help solve this problem, many fail because they put too much emphasis on the end user to make smart security decisions. For example, some classification tools give users a complex list of options to mark data before sharing it outside of their network. This is done in an attempt to secure and protect sensitive information in transit and when subsequently being processed by the recipient. The issue here is that most users don’t understand or haven’t engaged with the difference between a document marked as ‘Private’ or one marked ‘Confidential’. Where these markings dictate how recipients can interact with data (for example, a document marked ‘Private’ may be saved locally but one marked as ‘Confidential’ is read-only), employees often get frustrated by their recipients’ complaints that they don’t have the correct level of access, and often end up bypassing these controls as a way to save time and effort.

Additionally, this approach relies on error-prone employees, who may even select the right classification but then send an email to the wrong person – potentially causing a data breach if they’re still able to access sensitive information through their authentication scheme.

All this hurts adoption and ultimately can put sensitive information at risk of a breach if it’s not properly protected.

One-size-fits-all doesn’t work

On the flip side, some security solutions remove the end user from the equation entirely and instead enforce encryption based on static DLP rules. The problem this creates is that the decision to apply broad encryption standards to many different types of data doesn’t account for the real-world risk of a data breach.

Again, we return to the issue of employee and recipient friction. For example, a broad policy that encrypts all emails sent by particular users or teams means that even simple, non-sensitive information like inviting arranging a meeting involves recipients jumping through authentication hoops to access the email.

To avoid these types of issues, security solutions themselves must be able to anticipate human behavior and quantify risk; making it easy to access non-sensitive information but putting in place greater layers of security and increased friction as information becomes more sensitive and warrants greater protection.

Problem with the pyramid

Most companies protect information from the top down, with the most sensitive data being at the top of the proverbial pyramid. With this approach, most businesses actually only protect up to 40 percent of all of their data. They don’t go further down the pyramid because of user kickback: it’s often easier to not secure something considered less sensitive because it’s often less painful for everyone. Inevitably, some data will fall through this net and be at risk of exposure to unauthorized recipients.

But what if organizations worked to reduce “encryption friction”? If they were able to severely cut down on the number of barriers users must get through to access data, they would realistically be able to encrypt a much larger percentage of sensitive data.

AI and ML for real-time data protection

Achieving 100 percent encryption of sensitive data with absolutely no negative impact on users and recipients is unrealistic – and, frankly, when data is highly sensitive, it should be more difficult to access it! However, organizations should still work to broadly secure as much sensitive data in their “pyramid” as possible while also keeping employees and recipients happy. AI and machine learning could be the solution to this.

AI and machine learning can be used to quantify what good behaviors look like and detect in real-time when something changes (something that was unachievable before this technology became available). With these advances, it’s now possible to have a broader understanding of risk at the time of a data exchange – preventing over or under-encryption to ensure sensitive information is protected at a level relative to the actual risk of a data breach. Additionally, usability benefits can be brought to the recipients when they authenticate to decrypt content, meaning they’re far less likely to push back when businesses protect sensitive information.

Conclusion

There’s a lot of noise about AI in the security industry, so one of the challenges will be to cut through this with technology that can actually add value for end-users. To do this, organizations will need to look at users’ pain points, like usability or disrupted workflows. From there, they can use smart technology to help to ease these problems while also ensuring sensitive information is protected and increasingly stringent data privacy regulations are complied with.

By using AI and ML to “right size” encryption, organizations can make security technology something that is embraced by employees and recipients alike. This improved adoption can ultimately protect organizations from data breaches – the best ROI any company could ask for.