The relentless pursuit of a seamless digital user experience is having serious consequences in the workplace.
The expectation for convenient access to corporate and consumer applications such as Gmail, Twitter or Dropbox is undermining the efforts of CSOs seeking to protect sensitive personal and commercial data from falling into the wrong hands.
For everyone working in IT security, if this trend becomes the “new normal” and your company’s users are accessing systems and data with feeble username and password (UNP) authentication, then you have a serious problem.
The main driver behind the trend for convenience has been a change in boardroom culture. Many start-up founders, business owners and CEOs aren’t ensuring that risk assessments are being carried out to ensure corporate data networks and consumer-facing platforms are secure and fit for purpose.
Unfortunately, whilst this new culture may make workers more productive and increase the number of customers businesses have online in the short-term, the recent data breach news stories should prove beyond any doubt that these new bad habits will catch up with businesses at some point.
What is the answer? Here are three top tips:
Define and enforce clear use policies – A sensible first step is to form a holistic view of company’s data, assess what is business-critical and develop a strict policy document that must be adhered to. Organisations can then define the access control parameters that work best for their business structure, keeping the gateways to certain information accessible only to those with the right permissions.
Take back control – As a next step, deliver authentication through a standalone platform which redirects users back to the corporate domain, ensuring the user’s credentials can be validated using a corporate authentication solution before access is granted.
Introduce some friction – The final piece of the puzzle? Introduce appropriate levels of security.
Enabling static, risk-based policies is a step in the right direction. These solutions can determine access requirements based on who is accessing which service.
Better still, there are intelligent adaptive solutions that can apply exactly the right level of visible security appropriate to the access being requested. This serves to remind the user of the security risks associated with their actions, whilst the level of convenience also plays an important part.
Also, in circumstances where highly sensitive and confidential content is being reviewed, or when access requests are being made from beyond the control of the fixed network perimeter, it is essential that the user should be challenged to re-verify their credentials before access is granted.
Equally however, under circumstances where lower value data is being accessed, or indeed when the user has already authenticated into a secure environment during the same “session”, then barriers to access can be confidently lifted to raise convenience levels for the user.
Ultimately though, business owners, CEOs, CMOs and employees must all accept that some level of authentication is necessary when dealing with corporate data.
Any pursuit of an entirely frictionless digital environment in the workplace is short-sighted, and will lead only to an increase in corporate data loss. Fortunately, with the introduction of small amounts of ‘friction’, all parties can ensure that security and convenience actually turn out to be good bedfellows.
Chris Russell is CTO of Swivel Secure