As millions of workers get used to a new way of working, remote technologies have overnight become among the most important concerns of IT leaders – figuring out how to balance security policies with keeping remote workers productive is absolutely critical.
Most workers simply want to … work. Anything that presents a significant obstacle to that is going to have a detrimental effect upon the employee experience. Restrictive security or overbearing compliance measures are regularly cited as reasons employees get frustrated when working remotely. According to CCS Insight, 37% of employees and 49% of millennials believe their company’s security processes inhibit their productivity
With barely an hour passing without some form of major cybersecurity event hitting the headlines, it’s no surprise that security is a paramount issue at most modern organizations. In order to avoid being struck by the latest ransomware attack or data breach incident, many companies are locking down devices and using tools like CASBs to restrict user access when working remotely.
Cyber security measures must therefore keep the user experience in mind. Security tools and software should be hassle-free, fairly nonrestrictive, and integrate smoothly with a user’s regular interface and workflow. In other words, better protection should not mean a worse user experience– Rebecca Strehlow, Hackernoon
The problem is that while everyone wants security, no one wants the security experience. So enforcing regular password changes and having exhaustive requirements about minimum length and character usage do certainly reduce the risk of data loss, they also massively impact the employee experience.
The same is true for implementing policies around access to particular apps or sites, such as Office365 or Dropbox. Moreover, having to reauthenticate each time a connection is dropped can be extremely irritating, and if issues like these begin to serious impact convenience, employees will often look for ways to bypass security measures in order to get work done.
“By creating extra hoops for users to jump through any time they need to access information, you are only increasing the chance that they will find a different way to accomplish their tasks – and in many cases, these workarounds create greater security risks. In short, if security has a significant impact on the usability of an app or device, it’s going to eventually make the system less secure.”– Cher Zevala, Independent Technology Expert
In late 2019, NetMotion conducted a study of several hundred mobile workers to uncover and document the most common frustrations encountered during remote working. Unsurprisingly, issues with compliance were regularly cited by responders as a frequent and painful obstacle to productivity.
Having to bypass password requirements and having to regularly re-authenticate is the no. 5 most frustrating issue for mobile workers
One in five mobile workers listed a restrictive security factor as their most frustrating issue
Case study: Canadian car rental company
One vehicle rental company based in BC, Canada, was rolling out a new initiative to deliver cars to customers unable to visit company sites. This well-promoted new service required employees to drive in pairs to customers’ homes, where the final registration of the car rental could be completed using iOS devices. These workers were expected to log in to company systems using LTE iPads. With security a priority at the firm, no risks could be taken – multi-factor authentication was also rolled out and strict policies were put in place to validate the identities of users accessing company data.
The company soon discovered that employees found this process painful. Having to reauthenticate regularly throughout the day – often with additional factors required – meant that workers were often simply bypassing the registration of vehicles. Many drivers, fed up with the restrictive security policies, instead used pen and paper or offline notes to complete the registration later in the day.
This led to major problems when customers were returning cars and for the customer service team, as rental times did not coordinate reliably in the system. This significant impediment to employee experience was costing the organization in more ways than one. It implemented a more intelligent way of authenticating users that changed given the context of each device – for example, only when a user requested access on an unrecognized device or in an unexpected location would added security measures be required. This software-defined perimeter approach made an almost instant impact. Complaints from employees and unwanted workarounds soon disappeared, while the security team remained satisfied that corporate data was secure.
Advice for improving employee experience
- Implement adaptive multi-factor authentication products rather than static ones
- Monitor the types of tools and workarounds that employees might be using to bypass official policies – this can inform changes you might need to make to existing protocols
- Try to use blacklisting rather than whitelisting where possible. Most employees just want to get work done, so having overbearing content filtering policies can quickly restrict that.
- If using a VPN or other access-based technologies, ensure that it has a robust conditional policy engine that can intelligently balance security with user experience.