Imagine you’re a sales person, and when you try to visit a client’s website, you get a message saying that it’s blocked because it’s not on your company’s whitelist. Or maybe you’re a programmer, and when you go to install the latest version of the Eclipse development software you use to write code, your computer (and your IT department) won’t allow it. Every company is worried about cybersecurity, but there is such a thing as being too locked down.
For example, one way IT departments look to curb reckless employee behavior is through blocking websites and non-work-related apps on corporate networks. A10 Networks’ Application Intelligence Report published earlier this year found that nearly two-thirds of employees (61 percent) say their companies block specific sites or applications.
But preventing employees from having a certain degree of technological freedom-- whether that’s installing software, downloading apps or choosing a different web browser--can have a negative effect on their productivity. Some contend that strict security policies are at odds with the current climate for digital disruption and can hinder a business’ capacity for innovation in an increasingly competitive landscape.
The problem starts when employees, empowered by the always-on availability of IT at their fingertips, want to use their own laptops and other personal devices in the workplace, as well as download the software they believe will make their work lives easier.
It is up to the IT team to decide to what extent it wants to restrict users’ choices. Securing the organization is the priority, and with cyberattacks escalating in frequency and complexity, it’s easy to understand the IT department’s overwhelming urge to lock everything down.
For example, high-profile ransomware attacks have grabbed headlines over the past couple of years. They are now being overtaken by a rise in fileless attacks (opens in new tab) as malware developers step up their evasion efforts. Meanwhile, analyst Gartner forecasts there will be 25.1 billion Internet of Things (IoT) endpoints installed by 2021, ramping up pressure on IT teams to secure any devices connected to the corporate network.
The problem, as IT sees it, is that employees are often the reason for such security breaches within an organization. In fact, Shred-it’s 2018 State of the Industry: Information Security report shows 84 percent of C-level executives and 51 percent of small business owners believe employee negligence to be one of the biggest information security risks to U.S. businesses.
As such, one of the biggest causes of conflict between the IT department and employees is the downloading of unauthorized apps for use in the workplace. The A10 Networks report notes that almost a third (30 percent) of employees say they knowingly use non-sanctioned apps at work or on company-owned devices. However, a third of those downloading unapproved apps claim their hand is forced by their own IT department that often won’t give them access to the apps they need to do their jobs.
“If you make [technology] so restrictive that you have zero risk, no one will ever use it,” David Mayer, who heads Insight’s Connect Workforce business, tells Tom's Hardware.
Striking a Balance
Security experts agree that an organization’s security postured should be balanced alongside employee productivity and happiness.
“Allowing employees to work the way they want and utilize the tools they want introduces a massive amount of risk into an otherwise secure environment. However, not allowing them to do so can kill your employees’ productivity,” Joey Costa, CEO of Raleigh, NC-based managed security service provider (MSSP) The Tek, tells Tom's Hardware.
The way around this, says Costa, is for a business to focus its security program around the user experience. He advises "working with your users to understand how they want to work, what kinds of applications and operating systems they want to use and designing your security program for enablement and extensibility that will allow you to raise employee productivity and satisfaction while still keeping your overall risk level low."
Jake Madders, director at Hyve Managed Hosting, which has data centers in Los Angeles, Boston and Miami, agrees that IT chiefs should try to strike a balance.
“Businesses should seek to empower employees in every sense, including when it comes to technology. Preventing users from making extensive changes to their software is one thing, but placing restrictions on employees making simple changes, such as choosing a different web browser, risks patronizing and ultimately demotivating them,” he tells Tom's Hardware. “The internet can be a great tool for discovering new and creative ways to save time and increase efficiency through new applications, so allowing employees to have the freedom to do so is key to developing the business internally.”
Madders believes that training is key to ensuring that employees do not unwittingly weaken their company’s defenses.
“The key here is education--teaching team members how to stay secure, as well as what and how company security policies are implemented,” he says. “After all, adequate security is built from the ground up--starting with the core vulnerability, which is often, arguably, the users themselves.”
Independent industry analyst Rob Bamforth agrees with IT departments that the weak link in most security chains is the employees themselves, but getting the workforce on board with good security practices means starting from the top.
“Having them understanding, bought into and overall supporting security programs and procedures is critical. Having said that, edicts that come from a security decision-maker that seem at odds with the needs of the business are no good either,” he tells Tom's Hardware.
“Good CISOs get this. Security has to be engaged with and close to the business and users. Security risk and vulnerabilities need to be understood by all in a business context--what’s the impact on the business? Broad understanding aids buy-in and helps the organization adopt a practical security posture that is right for the business, not too painful for users and delivers sufficient protection.”
Interestingly, the Shred-it report notes that most North American businesses say they are confident in their employees’ efforts to safeguard company data, yet most do not provide staff with regular training on information security procedures.
“Ironically, many businesses still place responsibility for data security on their employees,” it says.
Insight’s Mayer says there is no reason today for an organization to impose overly restrictive security policies, although he acknowledges that sometimes “that’s the easy way out.”
Ultimately, the best security posture for a business to adopt is one that is not about restricting users, but restricting risk.
“There is management technology that ensures [unsanctioned] applications don’t even get onto the corporate network; they only live on the user’s machine. Cloud Access Security Broker [CASB] solutions out there can stop you accessing certain sites at work, for example,” he says, adding it goes back to balance.
“You’re balancing a risk profile. What is the risk you’re comfortable taking? There’s no way to make a flexible system that is 100 percent secure. But if you can make it 97 percent secure, and then you can manage and track that last three percent, maybe that’s a risk profile you’re willing to take.”
The answer lies in finding a balance where IT doesn’t feel it has to clamp down on users’ activities or behavior too much, which could ultimately lead to frustration and an inability to evolve as an organization. Security pros should weigh the risks to the organization while remaining flexible to employees’ needs and expectations of the modern workplace.