How Secure Is Too Secure for Employees?

Credit: Shutterstock | selinofotoCredit: Shutterstock | selinofoto

Imagine you’re a sales person, and when you try to visit a client’s website, you get a message saying that it’s blocked because it’s not on your company’s whitelist. Or maybe you’re a programmer, and when you go to install the latest version of the Eclipse development software you use to write code, your computer (and your IT department) won’t allow it. Every company is worried about cybersecurity, but there is such a thing as being too locked down. 

For example, one way IT departments look to curb reckless employee behavior is through blocking websites and non-work-related apps on corporate networks. A10 Networks’ Application Intelligence Report published earlier this year found that nearly two-thirds of employees (61 percent) say their companies block specific sites or applications.

But preventing employees from having a certain degree of technological freedom-- whether that’s installing software, downloading apps or choosing a different web browser--can have a negative effect on their productivity. Some contend that strict security policies are at odds with the current climate for digital disruption and can hinder a business’ capacity for innovation in an increasingly competitive landscape.

The problem starts when employees, empowered by the always-on availability of IT at their fingertips, want to use their own laptops and other personal devices in the workplace, as well as download the software they believe will make their work lives easier.

It is up to the IT team to decide to what extent it wants to restrict users’ choices. Securing the organization is the priority, and with cyberattacks escalating in frequency and complexity, it’s easy to understand the IT department’s overwhelming urge to lock everything down.

For example, high-profile ransomware attacks have grabbed headlines over the past couple of years. They are now being overtaken by a rise in fileless attacks as malware developers step up their evasion efforts. Meanwhile, analyst Gartner forecasts there will be 25.1 billion Internet of Things (IoT) endpoints installed by 2021, ramping up pressure on IT teams to secure any devices connected to the corporate network.

The problem, as IT sees it, is that employees are often the reason for such security breaches within an organization. In fact, Shred-it’s 2018 State of the Industry: Information Security report shows 84 percent of C-level executives and 51 percent of small business owners believe employee negligence to be one of the biggest information security risks to U.S. businesses.

As such, one of the biggest causes of conflict between the IT department and employees is the downloading of unauthorized apps for use in the workplace. The A10 Networks report notes that almost a third (30 percent) of employees say they knowingly use non-sanctioned apps at work or on company-owned devices. However, a third of those downloading unapproved apps claim their hand is forced by their own IT department that often won’t give them access to the apps they need to do their jobs.

“If you make [technology] so restrictive that you have zero risk, no one will ever use it,” David Mayer, who heads Insight’s Connect Workforce business, tells Tom's Hardware.

Credit: Shutterstock | thodonal88Credit: Shutterstock | thodonal88

Striking a Balance

Security experts agree that an organization’s security postured should be balanced alongside employee productivity and happiness.

“Allowing employees to work the way they want and utilize the tools they want introduces a massive amount of risk into an otherwise secure environment. However, not allowing them to do so can kill your employees’ productivity,” Joey Costa, CEO of Raleigh, NC-based managed security service provider (MSSP) The Tek, tells Tom's Hardware. 

The way around this, says Costa, is for a business to focus its security program around the user experience. He advises "working with your users to understand how they want to work, what kinds of applications and operating systems they want to use and designing your security program for enablement and extensibility that will allow you to raise employee productivity and satisfaction while still keeping your overall risk level low."

Jake Madders, director at Hyve Managed Hosting, which has data centers in Los Angeles, Boston and Miami, agrees that IT chiefs should try to strike a balance.

“Businesses should seek to empower employees in every sense, including when it comes to technology. Preventing users from making extensive changes to their software is one thing, but placing restrictions on employees making simple changes, such as choosing a different web browser, risks patronizing and ultimately demotivating them,” he tells Tom's Hardware. “The internet can be a great tool for discovering new and creative ways to save time and increase efficiency through new applications, so allowing employees to have the freedom to do so is key to developing the business internally.”

Madders believes that training is key to ensuring that employees do not unwittingly weaken their company’s defenses.

“The key here is education--teaching team members how to stay secure, as well as what and how company security policies are implemented,” he says. “After all, adequate security is built from the ground up--starting with the core vulnerability, which is often, arguably, the users themselves.”

Independent industry analyst Rob Bamforth agrees with IT departments that the weak link in most security chains is the employees themselves, but getting the workforce on board with good security practices means starting from the top.

“Having them understanding, bought into and overall supporting security programs and procedures is critical. Having said that, edicts that come from a security decision-maker that seem at odds with the needs of the business are no good either,” he tells Tom's Hardware.

“Good CISOs get this. Security has to be engaged with and close to the business and users. Security risk and vulnerabilities need to be understood by all in a business context--what’s the impact on the business? Broad understanding aids buy-in and helps the organization adopt a practical security posture that is right for the business, not too painful for users and delivers sufficient protection.”

Interestingly, the Shred-it report notes that most North American businesses say they are confident in their employees’ efforts to safeguard company data, yet most do not provide staff with regular training on information security procedures.

“Ironically, many businesses still place responsibility for data security on their employees,” it says.

Restricting Risk

Insight’s Mayer says there is no reason today for an organization to impose overly restrictive security policies, although he acknowledges that sometimes “that’s the easy way out.”

Ultimately, the best security posture for a business to adopt is one that is not about restricting users, but restricting risk.

“There is management technology that ensures [unsanctioned] applications don’t even get onto the corporate network; they only live on the user’s machine. Cloud Access Security Broker [CASB] solutions out there can stop you accessing certain sites at work, for example,” he says, adding it goes back to balance.

“You’re balancing a risk profile. What is the risk you’re comfortable taking? There’s no way to make a flexible system that is 100 percent secure. But if you can make it 97 percent secure, and then you can manage and track that last three percent, maybe that’s a risk profile you’re willing to take.”

The answer lies in finding a balance where IT doesn’t feel it has to clamp down on users’ activities or behavior too much, which could ultimately lead to frustration and an inability to evolve as an organization. Security pros should weigh the risks to the organization while remaining flexible to employees’ needs and expectations of the modern workplace.

Create a new thread in the Reviews comments forum about this subject
7 comments
Comment from the forums
    Your comment
  • mwryder55
    Many security policies are mandated by outside forces, government and industry, rather than the internal IT department. Most of these can not be changed to make it "easier" for an employee to do what they think is best. Our company has to work with regulations from the credit card industry, health care industry, and a number of state and federal agencies.
    A lot of these restrictions are to keep anyone from uploading data on our computers or accessing data their job does not specifically require. While we do have latitude in some areas as to what programs the users can access, other areas are totally locked down to approved apps, especially with the PCI compliance. Things like DropBox and a number of other sites are totally off-limits.
    Other restrictions we have to implement prohibit the use of cell phones or any other personal electronics in the office. Again, this is more to protect the information the employees have access to, rather than draconian rules we make up because we can.
  • digitalgriffin
    I encountered a similar issue trying to install driver support for ESP8266 on Arduino IDE.

    The weakest point of any secure system is typically the humans, not the PC's themselves. That's why phishing attempts are so popular. Exploits are harder from outside the network.

    That said, most employees are not technologically literate enough to safely evaluate if what they wish to use, or the link they wish to visit is actually safe. And IT services does NOT have the ability to check every piece of software out there for risk vulnerability.

    There are also other risk involved also regarding licensing. For example, some software is free to download and use without a nag asking you to pay. This is because they are free for personal use. But if you use them in a corporate environment, you could get into big trouble. Not everybody reads the EULA.
  • spdragoo
    From my experience, most of the time when someone says, "I need to have access to App X because it helps me/my team better do our work", it usually comes down to one of the following:

    1) "I don't like App Y that my employer provides me for free, so I'm just going to use App X instead even though there's no actual difference between the two in terms of performance"
    2) "I don't like App Y that's provided by my employer because I have a personal hatred of the company that supplies App Y, even though my personal hatred has nothing to do with how the app actually works", or "I prefer using App X solely because of my personal feelings towards the company that produces it, even though there's no practical evidence that it's better than other apps"
    3) "I prefer using App X because of this particular feature , even though my employer's HR & workplace policies and/or government regulations prohibit me from using that feature in the workplace"
  • smorizio
    there a good case study you can read about when hp a few years back was beta testing windows on there live servers and pc. there was a bad update and hp web site and servers we ofline for almost two weeks. hp lost a lot of money and osted they would never be a beta tester for windows again.
  • nobspls
    Why is security needed? Because of bad actors, people deliberately trying to break stuff and scam other people. When security is at a level beyond defending against those "bad" people, then it is too much security.

    How does someone know that they crossed the line? When they start blocking USB thumb drive access and yet can not stop the idiots from accessing some bad websites from the work machines they can take home and is no longer gated by the corporate firewall.
  • Olle P
    Anonymous said:
    Many security policies are mandated by outside forces, ...
    Those mandates typically regulate what to protect and what to protect it from. How to implement those protections are usually up to the user (company or equivalent). The user must be able to show that the protection is good enough.

    Anonymous said:
    There are also other risk involved also regarding licensing. ... Not everybody reads the EULA.
    True. Not everybody care about the EULA even if they know they breech the licensing terms.
  • mwryder55
    Anonymous said:
    Many security policies are mandated by outside forces, ...
    Those mandates typically regulate what to protect and what to protect it from. How to implement those protections are usually up to the user (company or equivalent). The user must be able to show that the protection is good enough.

    Many of the requirements of PCI (Credit Card Processing) compliance dictate what we have to do. We can choose what programs to use but they have to be approved by the auditors. A lot of our practices are controlled the same way. Things like hardening the computers have a very long checklist and we have to justify every single deviance. If we let everyone do what they wanted there is no way we could pass the audits. Proving that employee owned electronics were really secure is impossible, look at all the breaches at very big companies and government agencies.