User convenience vs. Security
Who knew? Following our Hot Topics debate about security in midsize businesses, such IT vs. employee tension would break out.
Last week we look at how most data breaches come from within and how employees are constantly at fault for malware issues and general data loss. However, there has been more discussion regarding the topic – more specifically from the employee side.
Many reoccurring themes can be seen. Trends such as consumerisation and Bring-Your-Own-Device (tips for BYOD can be found here) are dominating the airspace with IT professionals worrying about the potential downfalls.
Researcher Heidi Shey said in her report: “It’s not simply just a matter of having the appropriate tools and controls in place. It’s worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organisation’s current security policies.”
Are they?
It is the ultimate battle. One where both sides will always try to win. One of the most basic conundrums in computer security is the constant trade-off between security and usability.
With IT departments producing thick, unread security manuals, it’s hardly surprising that employees are choosing convenience over security. Managing Directors may be happy that employees are driving business, but the potential downfalls are bigger.
Security is different for different users and different situations, but IT professionals and business owners must increase simpler security policies with real consequences. Make them known. And make them obvious, not tucked up in page 262 of a 600 page policy.
Kevin Townsend, a freelance author and Infosecurity writer
The sheer convenience of doing business on the web has embedded itself into consumers everyday routines to the point where the ability to quickly complete a multitude of tasks online has come to be expected. This is comprising security. There has to be some middle ground.
IT professionals believe that security polices drive behaviour, not the other way round. After all, this is the Internet age. Users expect there to be security. If IT professionals had the time and explained why applications behave the way they do, with certain ‘inconveniences’ in place, and are all for the company’s and clients’ benefit of securing their data, then maybe no one would complain as much.
Simon Moffatt, Infosec Professional
Users want easy to use application, but they also want to know that who they do business with has their protection in the front of their mind instead of their usability. Everyone will understand. If this is the case then employees will change their behaviour to conform to security policies.
Just to make it abundantly clear, this blog is not advocating insecure computer practices. What it is advocating is freedom and some general understanding. However, with freedom comes consequences. If your employee wants his own data exposed by having auto log-in enabled and not local the screen with the screensaver, then it is only their data exposed, IT departments will need to relax a little bit.
In IT and in its fluidity, how easy it is to move services from one company to another is frightening. Perception is reality.
Make it easy. Make it work. Make sure you do it.
What methods are in place? How do IT manage this? Let us know @MicrosoftBizUk.