Most security teams use a “prohibition approach” of restricting user access to websites and applications, according to a study conducted by Vanson Bourne and commissioned by Bromium Research.
However, this approach not only hampers productivity and innovation, but is a major source of frustration for users, according to the survey of 500 CISOs from large enterprises in the UK, US and Germany.
The survey revealed that 88% of enterprises prohibit users from using websites and applications due to security concerns, with 94% investing in web proxy services to restrict what users can and cannot access.
Unsurprisingly, these restrictions negatively impact user experience, with 74% of CISOs saying users have expressed frustration that security is preventing them from doing their job and 81% said that users see security as a hurdle to innovation.
Security could also be impacting customer’s relationships and deals, the survey shows. CISOs report that they get complaints at least twice a week that work has been held up by over-zealous security tools.
As a result, IT help desks are spending an average of 572 hours a year responding to user requests and complaints regarding access to websites.
All this frustration is creating an uneasy relationship between IT, security and the user, the survey shows, with 77% of CISOs saying they feel caught between letting people work freely and keeping the enterprise safe.
Read more about threat intelligence
- Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
- Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
- Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.
A further 71% said they are being made to feel like the bad guys, because they have to say no to users requesting access to restricted content.
“At a time when competition is fierce, the risk of falling behind and being less productive is as big a risk to an enterprise as cyber attacks,” said Ian Pratt, president and co-founder of Bromium.
“Security has to enable innovation by design, not act as a barrier to progress. Sadly, traditional approaches to security are leading to frustrated users, unhappy CISOs and strained relationships between workers and IT departments – all of which stifles business development, innovation and growth,” he said.
But Pratt said this is unacceptable in a world where time to market is a vital driver for business success. “We need to put an end to this catch-22 between security, productivity and innovation – things need to change.”
These figures suggest enterprises need a new approach to security, the research report said. With revenue, reputation and share price on the line, those who look to new approaches to security will not only protect the business, but have the competitive advantage.
“The way security works today is broken. It is unacceptable that users are making helpdesk requests just to get permission to download documents and access websites they need to do their job,” said Pratt.
“It is also unfair that IT and security are seen as the enemy when they are simply trying to keep the organisation safe,” he said. “But it doesn’t need to be this way. There is a way to let users click with confidence while keeping the organisation safe. It’s called application isolation.”
Putting targeted activities into micro virtual machines
Application isolation, said Pratt, puts the activities most often targeted by cyber criminals – downloading files, using applications, browsing the internet – into micro virtual machines. When these activities are initiated, the network is protected because malware is trapped inside the container. As a result, restrictions on users can be lifted and employees can get back to work.
“This micro virtualisation approach to security transforms the relationship between the user and IT,” he said. “Instead of users calling IT to say there is a problem, they call to say they trapped some malware.
“Security teams congratulate the user and then have the opportunity to extract and analyse the malware,” said Pratt. “This allows users, IT and security to work together to gather threat intelligence that protects the business at large.”