Tony Pepper, CEO of Egress Software Technologies, looks at how consumer awareness, matched with user-friendly functionality, could aid the Information Security Revolution.
There’s no doubt about it, information security is now a hot topic; not only for CIOs, but for users and customers too. Edward Snowden’s revelations from two years ago have been followed by a period of increasingly high-profile data breaches and cyberattacks, making data protection a personal issue for citizens around the world.
As a result, today’s citizens are security conscious – they want to know who has access to their information and how it is being used. It is no surprise, therefore, that we have seen consumer applications jumping on the security bandwagon to quell customer fears – take, for example, Facebook offering encrypted password reset messages and the introduction of two-factor authentication by Snapchat.
Yet while it’s positive to see individuals and companies becoming more aware of the need for information security, this citizen-led revolution could be a double edged sword. On the one hand, CIOs and CISOs will benefit from heightened awareness in their user base and hopefully receive less resistance when attempting to set new rules around information sharing.
On the other hand, expectations around usability will inevitably be raised, with employees expecting a consumer tech experience in the workplace and many bypassing organisational security measures if they do not deliver. In this context, what is a CIO to do?
My way or the highway?
Historically, IT departments have been empowered to implement top-down security measures on staff; IT would dictate the solutions and policies that needed to be in place and colleagues would be obliged to follow. Yet as with any top-down management process, there were always difficulties for IT in getting users to adopt secure means of working.
While policies and procedures may have been introduced, typically workers have found it hard to personally relate the need for information security to themselves and the work that they do – particularly if these security measures make it more difficult for them to do their jobs or slow down productivity. As a result, IT has had an uphill struggle trying to implement security protocol and encourage user adoption, meaning the risk of human error has always been a huge challenge to manage.
However, the tides are turning. Information security is no longer an issue that IT alone is concerned with. Pressure for robust data protection measures is coming not only from employees, who understand the business’ needs, but also from end-users – whether citizens receiving public sector services, or clients engaging with legal or financial firms, etc. When both employees and end-users can access security features in their personal lives, they will be more willing to adopt these technologies in the workplace.
However, this also means they will start to bang on IT’s door to demand new or improved functionality from their organisations, letting them interact securely in the ways they want and need to. And herein lies the potential problem.
Piling on the pressure
User awareness is both a blessing and a curse for IT security professionals. As people start to become familiar with using consumer tools in their private lives, then they will put pressure on IT to deliver the same experience in the workplace.
As such, IT departments need to anticipate the demand that’s coming their way. The first point for consideration is the infrastructure already in place. The way technology is consumed has changed rapidly over the last few years with the rise of mobile devices and cloud. So if, for example, employees are used to generating encrypted messages or using two-factor authentication via their mobile phones, they will doubtless demand this same security in a work environment.
Similarly, individuals have become used to sending and receiving large files via the cloud at the click of a button using services such as Dropbox. However, while these tools may be secure enough for a social context, most are not designed for handling sensitive data. In the past, secure encrypted alternatives have been cumbersome in many instances and difficult to use, creating a risk to productivity.
Falling either side of this line will have likely data protection implications for your business. Lack of security in these solutions inevitably puts sensitive information at risk. Equally, solutions that are difficult to use will lead to people cutting corners and relying on potentially unprotected third-party mechanisms for communicating sensitive information.
The lesson here is the importance of balancing convenience and user experience against the business need to reduce risk – so it is vital to deploy a tool that is designed with users in mind but created to meet businesses need for security.
Mistakes happen; safety nets are crucial
However, having the right tools in place to encourage user adoption is just part of the battle; even in the most security-conscious and well-equipped environments, people can still make mistakes. Last year, an FOI request we made to the ICO revealed that 93% of data breaches are caused by human error – so reducing this margin for mistakes through smart technology should be a primary aim for organisations implementing data protection measures.
One way to achieve this is to, where possible, take decisions away from end-users – for example, through policy scanning and gateway encryption. Mistakes happen, but if you can anticipate areas of the business where they’re more likely to occur, then why wouldn’t you use technology to reduce this risk?
In addition, businesses need to provide ways to mitigate the impact of any mistakes through measures such as revoking access to emails that have been sent in error or preventing recipients from printing attachments (and therefore preventing them from disposing of hard copies incorrectly or losing them).
My advice to security buyers therefore is to think of their users and evaluate the sensitivity of their data and how it needs to be processed or shared, so that they have a clear picture of how in-depth their security needs to be.
They should ensure the chosen service is both intuitive for employees and end-users to use, and offers the security levels needed, while also providing a safety net for users to make mistakes. By thinking about how people work and what will make their lives easier, there will be less resistance to the adoption of secure practices.