A corporate security plan is meant to create policies that protect corporate assets and limit liability without harming efficiency. But companies often fail to find the right balance between security and user experience. As a result, security becomes an annoying antagonist that diminishes both enthusiasm and productivity and makes working remotely difficult.
When some 87 percent of employees in the US, UK and Germany say their corporation prioritizes corporate security over employee convenience, it means HR marketing strategies such as work-from-home-jobs or BYOD-friendly-environments have become double-edged swords. Initially, using more than one device for work could have made an employer more attractive to job applicants, as employees were demanding not only to use their own devices in the workplace but also more flexibility in how, when and where they work. Now they share concerns about how to protect their private data and activities from their employer and oppose employers’ security routines daily.
Recent studies show that 91 percent of companies feel measures that employers put in place negatively impact productivity, and 92 percent of business respondents are negatively affected when required to use additional security for remote work.
Separate passwords – layered with multifactor authentication – plus separate security measures for remote workers, BYOD and protection against outside threats result in poorly implemented security that obstructs productivity and exposes the business to risk from employee workarounds, authors of the study say.
Nearly nine in 10 employees must keep track of multiple work passwords, with 56% keeping track of two to five different login/password combinations for files and applications required at work.
When looking at changes to security in their corporate environment over the past 18 months, more than half of respondents say security has had a greater day-to-day impact on their work. More than 60% of IT professionals indicated that lack of awareness (or just a lack of knowledgeable people) is the greatest barrier to a context-aware security practice in their organization.
On the other side, nearly 70 percent of IT professionals say employee workarounds to avoid IT-imposed security measures pose the greatest risk to the organization. According to a survey cited earlier by HOTforSecurity, some 35 percent of employees would sell information on company patents, financial records and customer credit card details for the right price. One in four employees would sell company data, risking both their jobs and criminal convictions, for less than $8,000. About 3% would sell private information for as little as $155 while 18% would. Some 61% of respondents said they had access to private customer data while 51% had access to financial data, such as company accounts or shareholder information, and 49% had access to sensitive product information, such as planned launches and patents, the study found.
Since employees are the weakest link in the security chain of a company, it all starts with educating them about the risks of exposing both company and personal data when not adhering to IT security practices.
“The matter of BYOD, WYOD, and work from home has often raised security concerns for both large and medium business, so procedures for dealing with rogue IT equipment, communication channels, and sensitive data handling need to be more than just set in place, but also mandatory knowledge for all employees”, according to Bitdefender’s senior e-Threat analyst Liviu Arsene. “While some might argue that a work-from-home program has a significant boost on productivity and employee satisfaction, this should only apply to activities and staff that does not require to directly connect to highly critical infrastructure data or components.”
Of course, employees are not to be fully restricted when outside the network perimeter of a company’s network, but they need to me made aware that access will be limited and restricted to non-critical systems. This is both for their protection as well as the company’s.
Properly implemented IT security should not become a burden for employees, but a conduct that’s spurred from both awareness and responsibility.
Almost all IT professionals (93 percent) agree that a lack of context-aware security causes challenges that include difficulty in quickly addressing changing security needs, non-standard access needs that require IT intervention, unnecessary impact on employee productivity, or inability to analyze how/why restrictions are managed to improve worker productivity.
In the context of IT consumerization and cloud computing, IT security has spawned new problems that have to do with employee productivity. Although context-aware security seems like a rational choice, it does pose some implementations problems in regards to redesigning access policies and even redesigning the entire infrastructure. The issue with toughening security is that employees are required to remember at least 2-3 passwords for accessing various network resources.
“One way of avoiding this hassle would be to simply identity the location of the individual (say, he’s currently in your headquarters), identify whether he’s connected via a physical connection (preferably a LAN wall outlet assigned to a specific MAC address), and use this information to ascertain that he’s currently plugged into the network perimeter from an authorized device and allow him access to resources that would otherwise require various authentication mechanisms”, says Liviu Arsene, Bitdefender’s senior e-Threat analyst.
Using context-aware security will not only boost productivity, but will also help IT personnel quickly identify possible network intrusions or anomalies more easily. Context-aware security also means eliminating the element of rogue IT, generated by employees that take it upon themselves to manage local resources. By providing employees with easy access to company-approved cloud storage, internet connectivity (so that employees won’t bring and connect their own routers, switches or access points), and even internal messaging apps.
“Context-aware security is not just about improving the overall productivity of employees, but also about minimizing potential exposure of company-sensitive information to outside parties”, Arsene adds.
Employees should gain access only to resources essential for day-to-day activity. Former employees generate significant risks of vulnerabilities, especially those who had access to confidential intelligence, unknown to those outside the organization. Companies must limit the risk of using sensitive information for personal reasons or to access it after resignation. All passwords used to access different types of accounts should be frequently changed to diminish risks of security breaches.