12 Jul Security or useability? IT strategies to limit the trade-off
As cyber risks continue to evolve at an alarming rate, organisations are moving up the maturity levels with their security frameworks and controls for locking down data and devices. But progress sometimes comes with impacts on useability and flexibility for employees. In today’s hot talent market, this is a trade-off leaders would be wise to resolve, or at the very least minimise.
When it comes to priorities within IT teams and across organisations as a whole, cyber risk awareness and action are right up there as a major concern. According to global insurer Aon, cyberattacks and data breaches are seen as the top risk companies now face. And it’s not just Chief Technical Officers who have these threats on their radar. With the brand damage and financial fallout that can result from a breach, other C-suite leaders and board members are also under pressure to show they’re investing in the strongest security measures to keep customers’ data safe and protect essential data and services that enable them to operate.
The risk of cyberattacks and data breaches ranked number one and is also projected to be a top risk in 2024. In fact, cyber security is perceived as a top 10 risk by every surveyed sector and for all job roles, including CFOs, CEOs and chief people officers.
Securing talent and data
During the rapid pivot to remote working triggered by the global pandemic, device security has moved up the cyber agenda. Devices as access points to team members, tools and data became even more essential to both knowledge and frontline workers. At the same time, the vulnerabilities of both corporate and BYO devices were stress tested as organisations and their IT and cyber teams scrambled to keep up with the new remote working model. And as they’ve moved up through the maturity levels to realise all the benefits of modern end point management, each extra risk mitigation layer comes with more restrictions for the apps, data and functions a device can access.
Given the high stakes involved with cyber risk, the issue of enhancing device security at the expense of useability might not seem that important. But when you consider the importance of employee experience in the current job market, there’s a clear agenda clash for decision makers to resolve. Here in Australia, research from KPMG suggests access to talent is looming just as large as cyber incidents in the minds of C-suite leaders.
The overwhelming issue which nearly two‐thirds of respondents identified as both an immediate and short‐term challenge is access to talent.
Opening up device choices
In the broader context of employee experience, devices workers use and how they use them might not seem like a show-stopper for attraction and retention. But a Forrester study commissioned by Microsoft suggests otherwise. According to their research, employers reported that allowing people to use their personal devices for work — and to work with more flexibility between home and the office — improves employee satisfaction and reduces turnover.
As technology takes over as the interface for connecting with colleagues and performing work, the device we’re using matters more and more. Switching devices can give some employees a welcome physical boundary between work and personal tasks. But for others it just makes life more complicated. And while employees might prefer not to have company-issued laptop or phone, they may not be comfortable giving their organisation complete control of their device. Common restrictions applied by standard operating systems (SOEs) can stop them sharing family photos via SMS, email or social media, for example. In the case of contractors, it could be the company that prefers a BYOD arrangement, with the high overhead involved in providing devices for the short-term.
Flexibility can up the overhead
Solutions for securing personal devices to ensure compliance with cyber policies can vary widely. During years of experience across sectors and organisations of different sizes, our Eighty20 team have encountered all sorts of approaches to using security measures to loop personal devices into their network without introducing undue risk. We’ve had clients asking for traffic on corporate and personal devices to go through a mobile VPN, taking security to a level beyond mere device management.
An approach that’s growing more popular is enrolling a device to Windows 365 and using defined profiles to control access to data and applications. Or access can be granted based on the IP address of an approved device. In either case, there’s little to no management of the device, it’s profile controls that count. But this can still cause a degree of discomfort to employees should there be a breach and their personal data is up for scrutiny, or even removed, as a result. So this solution can still be seen as an unacceptable compromise. Even though their personal device isn’t controlled, there can be still be a blurring of rights and responsibilities for personal vs corporate data.
Another potential downside of this profile-led approach is the overhead involved. For some users – C-suite, for example – carte blanche access is to be expected. Defining levels of access across different business units, teams or functions can quickly get complex. This can introduce a substantial workload for IT teams to configure these profiles and then monitor and maintain them for ongoing compliance with security standards as they go about testing against different profiles for patching and refresh routines.
Aligning security efforts with strategy
Finding the sweet spot that strikes the balance between security and useability will come down to where organisations are now and where they’re heading, as defined by their strategic priorities. While security is always going to be a non-negotiable goal, there are others to keep in balance and solutions can be a win for other digital transformation benefits. For example, a step up in maturity for enterprise security means blocking macros which can create headaches and frustration for Office users. An investment in Power Platform capabilities can turn this point of friction into a positive step toward empowering employees to develop their own mini-apps as a secure and user-friendly replacement for their trusty macros.
Another element to keep in mind is where device management sits as a priority within a whole zero trust approach to cyber security. Investing in identity management can sometimes be the project to place greater focus on if useability and security goals are to be kept on an equal footing. By making a bigger effort to establish a working set of attributes for both devices and user objects, IT can amplify their power to configure and protect both devices and the data they access, regardless of who they belong to.