Cyber security has become a priority for most organizations, and rightly so. Data breaches are a real risk, and cybercriminals aren’t going away. The “prohibition” approach (or “zero trust”), which limits access to web pages and applications, is a go-to model for data protection. But are security programs interfering with business performance? Research suggests that overzealous cyber risk management may be too much of a good thing.
The prohibition approach leads to frustration for users who cannot access applications. According to a survey commissioned by Bromium of 500 enterprises, 74 percent of chief information security officers (CISOs) said users were frustrated that security measures interfered with their job function. Eighty-four percent said users believed that security measures stifled innovation.
This sense of frustration affects customers and employees alike. CISOs reported frequent customer complaints about work delays caused by security measures, according to the Bromium study. After surveying 1,000 employees in the UK, researchers for Cisco found that 1 in 8 employees believed that security measures were stifling innovation and collaboration. Nearly one-fourth believed that the cost of lost business opportunities was greater than the cost of a potential cyber breach. Frustration even led some employees to bend the rules of the security policy.
The most effective Cyber Security programs can sometimes backfire in the workplace. For example, an environment of heightened security can sometimes result in employee complacency. The Cisco study found that 62 percent of employees believed their actions had a low to moderate effect on Cyber Security. More than a third reported low to moderate adherence to security policies.
Need for New Security Approaches
To strike a balance between strong security and robust business performance, organizations need to develop new approaches to security. New technologies and insights into workplace behaviors have led to some promising developments.
Behavior-Centric Security Policies
Employees respond to security risks in different ways. Instead of forcing all employees into a single security program, organizations can develop policies tailored to individual employee behavior. For example, researchers for Cisco classified employees into four behavior profiles describing attitudes toward cyber threats, ranging from “threat aware” to “bored and cynical.” User-specific security policies can protect data while accommodating these individual behaviors.
Certain activities, such as downloading files or opening applications, are more closely associated with cybercrime than others. To prevent a breach, security policies often restrict legitimate users from these activities. However, a new technology known as micro-virtualization can isolate these activities, trap resulting malware, and protect an organization’s network.
Micro-virtualization is an example of implementing strong security without sacrificing business performance. With this technology, there is no need to prevent users from doing their jobs, so there is no interference with innovation and collaboration.
Security Compatible with Business Performance
In today’s cyber environment, effective data protection is a crucial concern. At the same time, security measures must not inhibit business performance and growth. New technologies and approaches to Cyber Security can both prevent breaches and allow innovation and collaboration among legitimate users.
Carefully crafted policies and procedures are a KEY ingredient to any successful cyber security program. They need to be written and implemented in a way that is effective and flexible, but also allows the business to run unencumbered.
At Interactive Security, we often refer to cyber security programs as “living & breathing”.