In Wednesday’s post we discussed the importance of addressing users in your cybersecurity policy. They can be the weakest link due to varying levels of cybersecurity and technological sophistication, and any effective strategy must incorporate training and policies around technology use.
But there is a flip side to this coin as well; some of the best technical strategies to secure your networks will impact user experience and workflows, and not often in the easiest of ways from the user’s point of view. This is fine line that security professionals must tread when creating a new policy.
Some best practices for system security involve incorporating technologies and policies which will impact your users. For example, you should institute a policy of least privilege (POLP) which will give your system users only the rights they need to perform their job functions and no more. If your users are currently enjoying expanded privilege due to lack of security policies, this is going to come as a shock to them when they login and find they no longer have that level of access.
Another good example is login requirements and Multi-Factor Authentication. If you are currently not using login credentials, or if you are but you are considering switching to MFA for added security, users will be impacted. Even a relatively simple change like requiring passwords to be changed on a scheduled basis, or instituting additional password complexity rules will impact users as well.
When this happens, you are going to have users who are upset. They will scream. They will cry. They will try to negotiate and bargain to be exempt from the rules. They may even threaten to quit or to go over your head and get you fired. This is a nerve-wracking situation, but this is where you as a security professional must stay strong.
Your users are intelligent people, and they may be experts in their field. You should respect them for their knowledge, but also remember that they are not the cybersecurity experts…that distinction belongs to you. As such, you know more about the types of threats your network faces, and what needs to be done to mitigate those risks. If users and their demands are allowed to veto or overrule your plans as a cybersecurity expert, they are introducing weaknesses into your network; weaknesses that can be exploited.
This doesn’t entitle you to act like a mini-dictator and simply force through your recommendations. It is important to gain employee buy-in for any changes that will impact their workflow, and that can only be accomplished through transparency and good relationships. You need to work with your staff to develop policy and procedures that are both strong and as user-friendly as possible. You need to understand how the solutions you want to apply will impact their workflow, and try to come up with an acceptable compromise.
But with some users, who are so anti-change that they will let nothing pass on their watch, no amount of transparency or education or relationship building will change their perspective. Sometimes the best answer to “Why should I be forced to do this?!” is “Because I am the cybersecurity professional and I said so.”