Maksim Kabakou - Fotolia

Security Think Tank: Four guidelines on how balance security, usability and cost

How can organisations maintain usability and keep support costs low without compromising on security?

Many organisations suffer from over-complexity of the systems and processes that support their business activities. The benefits of streamlining and simplification are well documented yet often remain a “target end-state” without being achieved.

Security is no different from any other operational process. We want users to play their part, but we want it to be integrated into their everyday activities so that conscious security decisions are made only when there is something worth acting on.

If an employee is thinking about security then it is better for them to be reporting an attempted phishing attempt than being stuck in a helpdesk queue getting a password reset for a reporting system they infrequently use.

The effect of complexity on security processes directly affects the cost of operating those processes. For example, it is not uncommon to hear something simple, such as resetting a password, can cost organisations up to £50. 

In addition, the more time that users and managers are tied-up in administration, the less time they are spending on their day job. Activities such as onboarding new staff can take much more effort than necessary due to sub-optimal processes. 

It is not uncommon to see account provisioning take weeks rather than hours or days. This inefficiency costs time and money and, in the case of account provisioning, can lead to increases in risk as users share credentials or key tasks are not performed by the individual responsible for them.

So, how do we maintain an appropriate security posture while reducing the burden on users and keeping support costs under control?  

Streamline security processes

Operate a common process for security activities for all applications as far as practicable. Embed key controls in the common process to reduce costs and ensure that only application or resource-specific activities are performed when necessary.  

Make common process easy to interact and ensure that employees know their part in that process. Using self-service and workflow to guide and route users can improve the user experience and reduce administration costs by reducing the need to support manually intensive process steps.

Automate as much as possible

When done correctly, automation in the security area can improve usability, improve security posture and reduce support costs. Many security investments are often intangible as they are protecting against something that might happen. Process automation has a return on investment (ROI) that is much easier to demonstrate.

Common examples of where automation provides multiple benefits include: 

Single Sign On (SSO)

  • Users benefit from not having to remember lots of passwords.
  • Helpdesk ticket numbers are reduced, driving down support costs.
  • It can be a good opportunity to strengthen authentication, for example by enforcing multi-factor authentication.

Email filtering

  • Reduction in spam means employees waste less time processing those emails.
  • Low-to-medium phishing attempts are caught. This presents fewer opportunities for users to fall victim, especially when accompanied by good education and awareness.

Identity and access management

  • Human Resources-driven provisioning puts responsibility in the hands of the business.
  • Provisioning lead times are reduced.
  • Job-based entitlements provide the right access to the right people at the right time.

External customers can have different requirements to internal ones and, depending on the business of an organisation, the requirements vary greatly. From a security perspective, there are some key recommendations that will help maintain security for users while managing cost.

Buy, don’t build

If selected correctly, a platform or service will provide a user experience and a level of security that would more expensive to achieve than a bespoke system. Look for independent assessments of security compliance, such as SOC2 for a service.

Take a risk-based approach to controls

Select controls based on the risk of the data and processes that the customer is interacting with. Prioritise controls that balance the overhead on the customer with the cost of operation. 

Organisations, users and customers can derive a lot of benefit from the automation of security activities. In many cases, automation increases security, improves the user experience and reduces operational costs – albeit requiring some investment up front. 

The key to achieving the right balance between security, enablement and costs is understanding what the risks are and choosing appropriate controls and tools that cover multiple scenarios.  

Read more from Computer Weekly’s Security Think Tank about balancing security, usability and cost

Read more on Hackers and cybercrime prevention