Kevin Dominik Korte dedicates himself to inspiring people to take control of their time, data, and dreams in IT, business, and life. As President of Univention North America, startup investor, and board member, he enables individuals and companies to follow their visions and missions without building dependencies. He is a trusted voice for strategic questions, risk management, and technical solutions from the boardroom to the field. He earned his MSc and BSc in Computer Science from Jacobs University in Bremen, Germany, and serves as Treasurer of the Jacobs University Foundation of America.
For most of us, our first interaction with a computer every day is to enter a cryptic username and a string of eight or more random characters. We enter the same password when we access our emails, when logging into social media, when the friendly repair guy asks for them in an email, when using online banking, and for the 4 pm online team meeting. STOP!
Most of us will hopefully have tripped over both “enter the same” and “repair guy asks for them in an email.” But we shouldn’t be so sure. As Verizon’s Data Breach Investigation Report shows every year, almost all successful attacks comprise some form of a human component, whether it’s exploiting the sheer laziness in reusing passwords or clever social engineering. Equally troubling, the total number of incidents keeps growing, and we should rightfully worry about how to fight back.
The breach data also shows that even the most sophisticated technical solutions accomplish little, except for frustrating users and administrators. As a result, we get into the vicious cycle of users taking shortcuts in security, IT introducing technical solutions, and users getting frustrated with them and taking other shortcuts. For example, the IT department blocks one cloud storage solution, so people jump to the next one, a favorite cat-and-mouse game in IT. Happiness with IT and productivity both nosedive while spending on cybersecurity goes up. We will see this frustrating spiral continue until CIOs and CISOs break the cycle and suggest different strategies to their peers in the C-suite and on their boards.
Let’s look at three ways to put the user back in “user management” and enhance cybersecurity.
Optimize the User Experience
One of the most frustrating aspects of work is needless and duplicated work. Entering the same password twice is one of the habits in IT that frustrates users to no end.
Even in shared desk environments or when using a common workstation, a single login at the beginning of the session is no less safe than entering a password for every application. In fact, fewer password entries mean less time spent logging in, increasing a user’s willingness to accept longer, more complex passwords or multi-factor authentication.
So why do we keep up this outdated security theater? I often hear professionals discussing single sign-on (SSO) as an advantage to employee convenience but seldom as a security measure. Thus, the solution shows up as cost in the IT budget. However, there is no association with pressing security issues. We must start looking at the human factor to change this perception. We must explain that employees and customers are significantly more likely to act in a security-conscious fashion when they aren’t inconvenienced. This fact is crucial, as off-the-shelf solutions are available which are substantially cheaper than a single security incident or replacing a frustrated knowledge worker who quits.
Go with the Flow
Logins aren’t the only area where convenience trumps security. Shadow IT, short for services or apps that are not sanctioned by the IT department, is another significant risk factor where intellectual property and data leave the company’s control. Data protection requirements and the associated fines only worsen the problems resulting from unauthorized applications. Yet, middle management often ignores outright bans in favor of easier usage and faster results.
Thus, looking at workflows and enhancing convenience remain the best tools we have. That requires IT to stop thinking in terms of data or tasks. Goal-oriented workflows have improved both the outcome and the experience for workers in many fields. It’s paramount to focus on the end goal, partitioning daily workflows into sensible processes and keeping workers engaged with just one application during that workflow. For example, user creation is a workflow in the IT Department. It often involves jumping to multiple services and entering the same username, first name, last name, and password. An identity management system would simplify and unify the workflow.
Identifying those flows is the hardest part. Surveys are the least time-consuming but most error-prone ways. The best approach is to have workers video- or screen-record their day. It gives accurate results and ensures team members feel as part of the process. No matter which way, once you have identified the workflows, you can assign an application to each. It yields an inventory of applications to build upon, tweak, and maintain.
Once IT has reduced the zoo of applications, organizations should celebrate that there is no more switching required. Showcasing the new ease of use makes employees aware of it, and after they’ve realized and internalized how simple it is, the power of habit will take care of the rest.
Even if you already have a minimal number of programs, this exercise can help discover the awkward pain points that slow everyone down. Overall, it will improve productivity and preempt the introduction of unsanctioned software and services.
Make it a Game, Not Shame
Our emotions play a role in our task selection and comfort level of tackling different work, and they influence how we learn and memorize things. That explains why shaming people into compliance, still one of the most common cybersecurity practices, is extremely counterproductive.
Many of us have experienced corrective training scenarios. The IT department sends a test email with a link, we click on it, and they condemn us to remedial training. Instead of paying attention in training, we blame ourselves for not being smart enough. Shame soon translates into worrying about our job–surely not the best way to build awareness and motivation.
Consequently, companies get stuck in a cycle of inadequate training, lacking reinforcement, and feelings of guilt or shame about failing such tests. Employees experience it all as a combination of wasted time and unfocused learning with the easiest tasks seeming too complex. No wonder the educational effects are limited, undermining the objective of improving cybersecurity.
Luckily, there are better ways to ensure compliance and enhance training. Gamification and user contests can significantly improve long-term awareness and habit-building. They utilize the wish to be the very best yet acknowledge that everyone can make mistakes. Tracking metrics such as reported spam mails per person and week are easy for employees to understand and for the IT department to set up. Likewise, IT and HR should run internal bounty programs for finding system errors, bugs, and security vulnerabilities. Even without a monetary reward, the opportunity to look good in front of co-workers and gain status are significantly more effective than any shame-based training.
What about AI?
Until AI replaces all of us, and that’s far from certain, IT departments must continue to deal with human emotions. We will never be able to rely on technology alone to get a handle on the human component of cybersecurity. Our subconscious revolves around primal impulses like inertia, competitiveness, and fear. Ensuring that our actions align with our employees’ expectations, cultures, and norms goes a long way in building a company where cybersecurity practices are part of everyday workflows. The better way to improve cybersecurity is to leverage human emotions and behaviors instead of trying to fight them.