Don’t Let Usability Issues Compromise Security
Anyone who has worked in an office environment as probably received an email or alert notifying staff that it’s time to change their login passwords (again) — and that those passwords have to meet an ever growing list of criteria: Letters, numbers, symbols, at least 8 characters, a Klingon word and their great-grandmother’s favorite color. So you come up with another “unbreakable” code that you can’t remember and write it down on a sticky note, conveniently stuck to the corner of your monitor.
Or perhaps you want to bring some work home for the weekend. But using your company’s secure system requires logging in, uploading the files and then establishing a secure connection — another multi-step process that adds several minutes and a migraine headache to the process. It’s easier to just email the files to your personal account, so you do.
Sound familiar? If so, welcome to a common problem in the world of security, where the solutions designed to protect us from “the bad guys” often create bigger security risks due to their lack of usability.
Common Barriers to Usability
One common issue in IT security is that the greater focus on security than on productivity. IT is so intent on protecting the asset that they forget that real people actually need to use it. Hence the regular and increasingly more complicated requests to change passwords, or the limited access to certain areas of the network, even though the employee has a legitimate reason to be there.
Some of the other common ways that security teams put security before usability include:
- Implementing complex “tests” in order to gain access. An example is the CAPTCHA codes widely used to ensure that it’s a real person attempting to gain access. Yet they are almost universally hated, and many people would rather find a different application or online store than suffer through multiple attempts at getting the code right.
- Overzealous blocking of websites or applications. Some companies go so far as to block any website that contains certain terms, fearing that employees will access inappropriate or harmful material on corporate networks — while also impeding their ability to do legitimate work-related tasks online.
- Excess login requirements. A system that requires users to log in, enter a CAPTCHA code and then a one-time use code sent via text is not user-friendly. Multi-factor authentication does not mean using every single form of security available.
- Implementing systems that are complex and do not fully identify or explain risks.
These are just a few of the ways the security overrides productivity, and they can put your data at risk. When your security protocols are so complex that employees use workarounds (like sending unencrypted emails to personal accounts),the very tools that you have in place to protect your network and data could be the cause of a security breach, as users attempt to find workarounds.
Just because a security solution limits what users would like to be able to do — or causes them to take a few extra moments to ensure that that everything is protected from prying eyes — doesn’t mean that it isn’t valuable. It’s just as hazardous to focus on productivity and ease of use while putting security on the back burner as it is the other way around.
The key is to find the right balance between implementing solutions that people will actually use and those that provide the highest degree of protection. To that end, it’s often best to approach security with the following in mind:
- How does this solution operate? Ideally, security should operates in the background with a minimum of user intervention, like SafeNet cloud security and encryption solutions.
- How can we streamline the security process? For example, implementing a single login process that allows an authorized user access to everything he or she needs on the network can make it easier for workers to stay productive while still protecting sensitive data.
- What are the security priorities? Does every application need the highest level of protection, or can security be managed in tiers, with lower priorities receiving less stringent access protocols?
- How can we move security from a place of “no” to a place of “yes”? Many experts note that modern IT security is largely focused on preventing bad behavior and protecting networks against “what ifs,” without thinking about how people really use them. Instead of focusing on blocking, preventing and denying, security should focus on how to allow people to do what they need while still providing protection.
The balance between usability and security has long been a tenuous one, and there is no easy solution. However, IT security teams that recognize the issues and take steps to mitigate the problem will likely find that they have fewer security issues and an overall safer network.