End users are the weakest link in any cyber security strategy. According to a recent MeriTalk report, almost half of all government agency security breaches occur because users don’t comply with security protocols. In fact, 31 percent of government employees use some sort of security workaround at least once a week. Although the report, cleverly titled “Security Pros From Mars, End Users From Mercury,” discusses public sector employees, the private sector can learn some lessons by understanding why these federal employees work around security protocols.
End users become frustrated when following security procedures slows them down. Unfortunately, security professionals don’t view user-friendliness as a priority. In fact, only 40 percent of security professionals rate user-friendliness as a concern when determining security strategy. If end users are the weakest link, then shoring up their compliance is a priority. Deploy easy-to-use cyber security software for businesses as a starting point. Then, tweak the program so it incorporates these four user-friendly principles.
Companies implementing single sign-on (SSO) authentication allow their employees to use a single login and password to access multiple applications within the company. Most SSO implementations allow the basic username and password for low-level applications. They then require additional measures, such as biometrics, smart cards, security certificates or security tokens when employees want to access more sensitive material.
Changing to SSO offers four main benefits for companies:
- Uniform enforcement. With SSO, IT can enforce uniform authentication and authorization across the company.
- Better security reporting and auditing. SSO provides end-to-end user audit sessions, providing better visibility for IT into unusual employee behavior.
- Less pressure on application developers. When a company implements SSO, individual applications developers don’t have to incorporate security into their designs.
- Cost savings. The help desk will receive fewer password-related calls, increasing their productivity and resulting in cost savings.
Despite these advantages, companies have to prepare for potential SSO problems. First, if an SSO system fails, then employees throughout the company won’t be able to sign on to the network. Therefore, any SSO solution should have a proven failover design. Second, SSO systems can’t protect against alterations to underlying identity data. IT will need to set up easy business processes to monitor for unauthorized identity creation, identity termination or role changes.
Firewalls create many inconveniences for end users, so they begin to request exceptions to company firewall policies. If they don’t get the exceptions they want, then they often alter the security settings on their local computers so that they can view unauthorized websites. The IT department does not have the time to track down noncompliant employees, so take down firewalls that aren’t absolutely necessary.
Different businesses will have differing standards for what employees should and shouldn’t access while they’re on the clock. For instance, some companies will ban Facebook access while others won’t mind it. It’s a good idea to examine firewall logs to see the sites employees are trying to access most often. Then, determine whether it’s worthwhile to continue blocking these websites from both productivity and security standpoints.
Your employees want to access the company network with their mobile devices. Your IT department wants to keep the network secure from outside threats. To balance both objectives, launch a mobile device management solution. MobileIron offers an easy-to-deploy mobile device management option with a BYOD device registration portal, Enterprise Appstore and embedded certificate authority. It also enables automated policy workflow so non-compliant devices do not receive network access.
Employees use work computers with differing technology comfort levels. If the user interface is complex or doesn’t offer intuitive navigation, then employees will inevitably try to work around it. One tested way of determining whether a security product is user-friendly is to invite end users to test-drive the product before implementing it company-wide. If end users don’t grasp the general navigation immediately, then the solution isn’t as user-friendly as it needs to be.
Cyber security has to be both easy and convenient for end users in addition to providing rock solid network protection. By implementing SSO, culling firewalls, streamlining mobility and prioritizing user-friendliness, IT will gain both network security and end-user cooperation.