Businesses need to keep their systems and data well protected. But this often means employees must remember — or, more likely, they can’t remember — potentially dozens of passwords for work-related accounts, in addition to using two-factor authentication processes that can feel needlessly difficult. Add the complication of employees working on personal devices, and you’ve got a difficult balancing act between security and getting work done.
Information security consultant Rebecca Herold, known as the Privacy Professor, works with businesses dealing with this challenge. Herold is also a co-founder of Simbus360, a privacy and security management consulting firm, and she’s working on privacy standards as part of a National Institute of Standards and Technology team.
Here’s her advice to help you strike the balance between security and productivity.
Q. Why do security measures sometimes get in the way of productivity?
A. People don’t like to be slowed down, especially when they have multiple types of IDs and authentication — passwords and secret questions and so on.
Research has shown there’s a psychological component. It’s not that much time is actually lost because you have to enter a password, but people get irritated if they’re asked to do the same thing over and over. It causes a lot of frustration. Plus, people are managing a lot of different passwords and they forget them, and I think organizations have a tendency to require people to change their passwords too often.
Takeaway tip: Require strong, lengthy passwords, but don’t require employees to change them frequently unless there’s a breach.
Q. How can a business help employees work securely without hindering productivity?
A. Organizations should always be looking for ways to streamline security to make things easier for their employees. This could include single sign-on, so once you’ve logged in to the secure business environment, people don’t have to keep entering passwords for every application. It’s also important to educate employees about closing programs and applications that aren’t in use and turning devices off regularly to clear memory and cache. Those steps will speed up things.
Biometric authentication is another thing to consider, if there’s budget for it. That can really streamline people’s time, and it can often be achieved with voice or fingerprints or even an iris scan.
Let’s say you’re an employee and you need to get into a very sensitive application. Maybe you’ve loaded a certain code file onto your device itself so that you have to be using that particular device to log in to the application. That code file on your computing device would be one step, and the second step might be saying your key phrase or scanning your fingerprint on your smartphone or tablet.
Takeaway tip: If possible, implement single sign-on or biometric authentication measures in place of multiple passwords.
Q. Are there times when security should be relaxed in the service of productivity?
A. Security and productivity shouldn’t be opposing goals, because in the long run, security supports the proper and efficient flow of business. If you have a security incident, that’s going to interrupt business. But certainly there will be times when a certain security policy requires an exception.
One of the most common times is in the event of a disaster or an incident. I’m based in Des Moines, Iowa, and when I started my career, there was a huge flood in 1993. At my company, we temporarily suspended certain security requirements for employees so they could get into client files while they were working in different locations. But generally, those types of disaster suspensions have mitigating controls implemented, and they’re only short-term.
Takeaway tip: In cases where security is temporarily reduced, take steps to monitor access, log which users have been into files and audit their activity.
Q. How do you encourage employees to prioritize security?
A. The key is to help people understand from their own personal view that they need it, and then they can really own the issue.
For example, there’s a large health insurance company I go to once a quarter, and we have a lunch-and-learn security and privacy talk. One talk I gave was about setting up your home Wi-Fi network with appropriate security controls. I explained what can happen if someone outside your home is getting into your personal network.
And then at the end, the chief information security officer said, “Here are the security practices we require that are similar to what you just heard. We need to protect our business and our customers the same way you need to protect yourself.” That really helps people to understand.
Takeaway tip: Provide frequent training in short bursts of 10 or 15 minutes on a single security topic, rather than once or twice a year for an hour or two. This is especially important for teaching employees about security measures for their personally owned devices, which are outside the realm of information technology control.