Blog · 17 Feb 2021

How CISOs can create security measures people will follow

Research shows people accept some inconvenience to stay secure, but there are limits to their compliance. CISOs need to deliver security that makes sense to their users.

Natalie Walker
Senior Manager, Managed Security Services, BT

One of the headline findings of our latest research into cybersecurity attitudes is that there’s now little resistance from consumers to increased security measures – as long as they don’t get in the way.

A big part of this shift in thinking is down to a general increase in awareness around cybersecurity. Cornerstone pieces of legislation, like GDPR in Europe and the California Privacy Act in the US, have reached the public consciousness, and people are making more connections between their data privacy and security procedures. There’s also been more reporting of cybersecurity threats and attacks in the mainstream news, so it’s increasingly part of our lives now, rather than being a specialist subject you have to go looking for.

The inclusion of security features in everyday technology, particularly in smartphones, is having an impact, too. Consumers are used to fingerprint or facial recognition – and are left wondering why they can’t have that in the business environment.

Employees have definitely accepted that there may be some inconvenience in their dealings with organisations. They understand the trade-off between security and convenience – but companies must be wary, because there’s a point where security just becomes irritating for employees, and they stop complying and start looking for workarounds.

Consumers, too, are sensitive to the amount of inconvenience involved in staying secure. Although they can’t look for workarounds (like employees), they can, and do, vote with their feet or their business if they don’t feel secure enough, or if security gets too complicated.

This leaves organisations facing a dilemma: how do you balance security with user experience to get people to comply – inside the company, as well as externally? 

Overcomplicated security triggers non-compliance

We were talking with a financial services organisation that was having issues with password compliance. They were asking employees to use a different password for every service they accessed, and it just wasn’t working. Employees couldn’t remember all the passwords and the workarounds that this sparked were creating a significant cybersecurity threat vector. As a first line of defence, we introduced a single sign-on capability that unlocked subsequent logins and simplified things massively for their users.

Another example of security not working is where a rail operator had installed a second factor authentication system that popped up alerts to the user’s mobile saying, “is this really you?” But the alerts were popping up every minute or so and people were getting bored and hitting the ‘yes’ button without thinking, just to make it go away. The operator suspected this was creating a serious security weakness. They ended up hacking their own team, and they confirmed they were right. We helped them review their approach to prioritise how they used the alerts. 

Both these examples show how easily the systems you design to increase your security can end up making you less secure. And it underlines how important the user experience is to getting security practices to work as you intended them to.

The three steps to security people will use

Implementing security processes that people won’t resist has three clear stages.

  1. Focus on protecting what’s most important
    Start by accepting that if you protect everything to the highest level, then you’ll create a situation where people are continually being buffeted with security messages, and they’ll stop paying attention. Work out which bits of your data are business-critical and then protect accordingly. And always make sure there’s a sound business rationale behind your decisions. Some areas are better off with just basic security in place.
  2. Explore the user experience
    Understand what burden your security measures put on the user and remember that it’s human nature to take the path of least resistance. Think of it like those paths of convenience you see worn into grassy areas in parks where people have made their own shortcut, avoiding the longer, ‘official’ path. I don’t recommend fighting human nature but, instead, work with your users to find the easiest way of doing things to maximise compliance.
  3. Collaborate with your users
    This is all about increasing your employees’ understanding of security, so they’re on the alert for cyber threats. Create clear channels of communication with IT teams and make it obvious you’re trying to find effective ways of keeping the business secure. You want to get to the stage where employees come to the IT team asking for advice and guidance on the approved ways of doing things. Then, if there isn’t one, you can work together to make a sanctioned, positive way to do it.

Successful security is user-centric

To create security that works, you have to make using it easy – and that means thoroughly understanding the user perspective when implementing solutions. Always remember that it’s not a case of one size fits all, so a flexible and nuanced approach to development is essential.

And if this has raised any questions about your own security, our Security Advisory Services practice can help. We offer strategic security guidance and solutions to organisations across the globe, helping them to navigate today’s complex cybersecurity landscape. From assessing and testing defences, to putting together solutions that meet security needs, our team provide support at all stages of the security journey.

Start assessing your current position by asking yourself these questions:

  • do security measures get in the way of letting your employees do their jobs?
  • are you already thinking about how you might deploy new security?
  • are you clear on what your users do, or fail to do, that could defeat the best-conceived security policies and solutions?

To find out more about our advisory services, please get in touch with your account manager. And to explore our latest security research in more detail, download our new whitepaper, ‘CISOs under the spotlight’. 

Or take a closer look at some of the services below that could help protect your organisation:

Cloud Access Security Broker lets you protect your important data held in the public cloud, giving you complete visibility, control and protection over your data.

​Our identity and access management services let you quickly and securely access both cloud based and on-premises applications, whilst focusing on the user experience by avoiding multiple passwords and continuous user authentication.

With endpoint detection and response, you get visibility, control and protection for every smart device upon which it’s installed along with threat hunting, protecting those parts of your network and infrastructure most in need of protection.

​With Managed Azure Sentinel, our cybersecurity experts will detect, analyse and mitigate threats across your Microsoft estate, working closely with incident response teams to protect your data.