“Don’t think you’re being clever by aggressively blocking things,” says Jason Ruger, Lenovo’s Chief Information Security Officer. “It’s better to know what employees are using so you can communicate with them about the risks.”
Ruger, a veteran security leader, says employees don’t willingly put security at risk when they engage in this kind of behavior. But if they need to reauthenticate three times a day to access a simple document like a budget, they are likely to look for a workaround to access the file more easily. In other words, they’re just trying to do their jobs, and don’t necessarily understand the ramifications of taking shortcuts or ignoring company policy.
“To the extent you add more hurdles, people will find ways around it,” says Ruger.
The takeaway: Organizations need better strategies and solutions to lock down data without slowing down their people. With budgets tight and executives expecting IT solutions to demonstrate ROI, the answer may lie in thinking differently about security tools.
“IT has always been seen as a cost center,” says Ruger. “There is pressure to use solutions that are less expensive. Classically in IT, we build solutions that are three clicks instead of one. As IT leaders, we need to shift the model.”
While enterprise-grade solutions were once seen as the gold standard for security, Ruger says that narrative is changing. Enterprise security leaders have increasingly grown to understand that consumer-grade technology is not only less complicated and more comfortable for users, but follows a model of regular upgrades and patches to keep apps secure. In many cases, these tools are as or more secure than enterprise solutions.
But the switch to enabling users to employ more consumer-level tools may not be easy for large companies with legacy systems (and legacy attitudes toward consumer tech). In instances where allowing and securing certain consumer applications may not be feasible, Ruger suggests finding ways to enable employees to use what they want to use locally, and within reason.
“Can we create solutions that are easy enough to share within their region without making it so restrictive?” he asks. “If not, employees will use it anyway.”
Security is a team sport
In designing user-friendly security, it is essential to involve stakeholders across the business. This helps to ensure that security and risk mitigation are considered at all levels and in all types of user experiences. Nima Baiati, Lenovo’s GM of Commercial Cybersecurity Solutions, suggests one way to get the conversation going is to share real examples of incidents in other corporations. The high-profile Target breach, even though it happened in 2013, remains a stark reminder of the impact of cybersecurity attacks.
“You can take examples like Target and remind business leaders of the risks by saying, ‘this is what can happen to us,’” says Baiati.
Security teams can also look to evolving technologies such as artificial intelligence and advanced encryption to reduce the friction between security and productivity. Baiati says new methods of authentication can also help to reduce the tension between employee productivity and secure design. Solutions that offer access through passwordless authentication, and that leverage FIDO and FIDO2 technology, will be critical to recasting the way employees access information in the coming years.
“[Passwordless methods] improve the user experience,” says Baiati. “I don’t have to remember a password or continually go in and change that password. Solutions like that can also help an organization reduce cost.”
Passwordless solutions can also reduce IT costs by reducing the number of help desk requests for password resets. Those savings can be clearly mapped to ROI, he says.
“Tying a solution to a business outcome is very effective,” he notes.
Awareness training reinforces the message
Eliminating friction between the employee and the tools they need to do their work is one way to enhance defense, but teaching them about the threats to watch out for is another layer of protection. Awareness training has become table stakes in any security program.
The most effective programs, Ruger says, tie security outcomes back to the employee’s own personal interests and situation.
“We always try to make it personal,” says Ruger. “How would this impact your personal finances or your significant other’s finances?”
This personal touch also ties back to Ruger’s earlier example around understanding what shadow devices or applications employees are using and having a conversation about why they feel the need to use it. What are they trying to accomplish that requires a workaround or a shadow IT device? That discussion goes both ways, because employees can also learn more about how their behavior puts company data at risk.
“If employees are using solutions that aren’t as secure as you like, it’s better to know that so you can communicate with them using a carrot rather than a stick,” he says.
