Striking a balance between user experience and securityBy Phil Packman,
The business environment is in a state of flux right now as organisations explore what the future of work will mean for them and find their feet.
For many of us, the way we work has changed or is about to change again – and this means security boundaries are moving. This presents us with a golden opportunity to rethink both how our organisations operate and how we can embed security so that it works well for the user.
Creating a fluid, effective user experience is critical to the success of your security; if your user experience is bumpy, your people will turn to their own devices, pushing up your security risks. Embedding security in a way that's barely visible to your users should be the goal. Thankfully, there’s very little resistance to greater security measures with 67% of consumers say security is more important than convenience, but that doesn’t mean they welcome adding any unnecessary friction into their user experience.
Striking the right balance between experience and security involves staying open to compromise, being willing to trade pure security for an acceptable, workable level of security that's easy to adopt. Communication, education and empowering your human firewall should be the foundation stones of effective security in a post-pandemic world.
Below are the three focus areas for creating a great user experience while prioritising security.
1. Put the power back into the human firewall
The first thing to recognise is that some user resistance to security is to be expected. During lockdown, users have potentially had a better experience at home than they had / will have in the office or in a new hybrid working model. With less bandwidth contention, home connectivity can be faster, your users may have been enjoying using their personal devices, and they may have had easy access to whatever websites and apps they wanted.
As security teams consider whether current security policies are fit for purpose, taking your user experience into account will prove critical to effective security. The challenge is to embed security in a way that wins your people round to compliance, introducing security that makes sense, so that your people won’t revert to using their own unsecure devices. And the right communication is key: your users understand the need for security to protect your organisation and are far less likely to resist when the reasons for your policies are clear. It’s time to put the power back into the human firewall by raising awareness and making it easy for your users to do the right thing.
2. Use friction to your security advantage
An effective way to do this is to introduce a small element of healthy friction into processes, putting in place helpful ‘speed bumps’ to slow your users down long enough to consider the implications of their actions.
It’s like when you get into your car and you make the decision about whether or not to put on your seatbelt. Many cars have a sensor which will remind you, whether that’s a light or an alarm. These sensors introduce some friction into your user experience that's designed to keep you safe. You’ve been warned, you’re aware of the risk, but ultimately you can still make the decision not to put your belt on.
Let’s transfer that to the business world. Imagine you go to share a sensitive document. Instead of just blocking your ability to send, the system could generate a pop up that asks you if you’re sure you want to share, giving you the chance to consider and correct your course. The responsibility stays with the user, and they’re not frustrated in what they want to do. Your business still operates, but it also reminds your users that they're being monitored. And, really importantly, your users aren't being forced into illicit workarounds to make things happen so your security team continues to have visibility over what your users are doing.
3. Build flexibility into your approach
You’ll write your security policies with your organisation’s interests at heart, but it’s important to recognise that they won’t suit all your users. I recommend listening out for specific groups that are struggling with a policy to understand what they’re trying to do. In some cases, you’ll need to adjust your policy to allow individuals to make the final decision and, in my experience, this makes users more likely to work within the ‘rules’ where they can.
I came across a prime example the other day. The security policy restricted what IT could be taken to high-risk countries, but users had been taking their own devices and using them for business under the radar. The security team switched to outlining the risks and making clean devices available if the user felt comfortable with the risk, empowering the individuals to make the final decision on the best course of action. There was a noticeable increase in the uptake of clean devices, reflecting how people were taking responsibility and working with the organisation’s security rather than against or around it.
In fact, non-compliance with security policies can be a useful indicator of where you’ve got policies and processes in place that aren’t working for users and therefore, by extension, for the organisation either. We often treat non-compliance as some sort of user failure, but we should look at it as a way of flagging where we’re trying to get users to do something they find difficult or ineffective.
A user-centred approach
Let’s make security an integral part of how we shape the future of work, using friction in the user experience wisely to get the results we want.
To find out more about how you can take a user-centred approach to improving your security then please get in touch with your account manager.