How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?
Many security technologies do not appear to be effective because they do not fit in with the way people work. Users often ignore, avoid or circumvent anything that makes it difficult for them to do their jobs. And why would they not?
In an ideal world, we would wish that security features were designed in from the start. So how can it be that we have an industry so full of products that cross over each other, duplicate each other and often, more frustratingly conflict with each other?
We still need to make progress in this area. Within the information security industry we have a great history of aligning our descriptions to the motoring industry - where security features can be considered to be the equivalent risk reduction mechanisms akin to seat belts, brakes, fluid level checks, speed restrictions etc Given that the motoring industry has built all of these features in over time, how are we still able to accept an industry wherein the plethora of products aforementioned continue to exist in isolation of each other?
Granted, we have seen a number of mergers and no doubt will experience more given the current economic climate, but our users are more likely to "properly" engage if we make things simpler.
Passwords are but one of the product issues that affect the average users - we have tokens, keys, logins, pins, acceptable usage boxes, prompts, "warnings".... so many little things that tend to feel like they are there to get in the way of just getting on with work. It is no wonder the users are frustrated and, in some cases, we find that "the natives are revolting"! Quite recently I encountered a situation where there is known password sharing because it makes work more effective.... and yet the policy clearly forbids such activity. So either the staff need to be summarily dismissed (highly unlikely) or the policy needs to be changed (much more suitable).
Information security people need to be prepared to shift the ground rules in order to match user requirements more appropriately, whilst in alignment with risk management principles and expectations. With any security policy implementation there needs to be an exception process whereby a case can be made and justified, with manual or compensating controls put in place, as appropriate, to minimise the risk. However, with shared user IDs this can lead to non-repudiation issues when an individual's actions cannot be confirmed as accountable.
So as ever, a hornets' nest of issues that need to be framed in a risk management context in order to best implement appropriate safeguards to protect information - and employees - alike.
Andrea Simmons is a consultant forum manager at the BCS Security Forum