IT teams face employee resistance to security controls

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!


Ninety-one percent of IT leaders feel pressured to compromise security for business continuity, according to a new report from HP Wolf Security. Moreover, almost half (48%) of younger office workers surveyed view security tools as a hindrance, leading to nearly a third trying to bypass corporate security policies to get their work done.

The report, which combines data from a YouGov poll of 8,443 office workers and a survey of 1,100 IT decision makers conducted by Toluna, highlights the clashes between IT departments and rank-and-file workers brought on by the pandemic. While IT leaders have had to compromise security for continuity despite a rise in threats, employees have been rejecting efforts to improve security, leading many to rebel against security controls.

Worker pushback

According to the report, between 48% and 64% of office workers believe that security measures result in a lot of wasted time. Seventy-three percent said that security policies and technologies are often too restrictive, and over half (54%) of younger workers — those aged 18 to 24 — were more worried about meeting deadlines than exposing their organization to a data breach.

The blasé attitude toward security is causing concern on the IT side. HP found that 83% of IT teams believe the increase in home workers has created a “ticking time bomb” for a corporate network breach. Eighty percent of IT teams said IT security was becoming a “thankless task” because nobody listens to them, and 69% said they are made to feel like the “bad guys” for imposing restrictions.

“The fact that workers are actively circumventing security should be a worry for any CISO — this is how breaches can be born,” HP global head of security for personal systems Ian Pratt said in a press release. “If security is too cumbersome and weighs people down, then people will find a way around it. Instead, security should fit as much as possible into existing working patterns and flows, with technology that is unobtrusive, secure-by-design and user-intuitive. Ultimately, we need to make it as easy to work securely as it is to work insecurely, and we can do this by building security into systems from the ground up.”

Specific steps

Eighty percent of IT teams experience pushback from users who don’t like controls being put on them at home, with 67% of teams receiving complaints about this weekly, HP reports. But despite resistance, many security teams have made efforts to curb user behavior to keep data safe. Ninety-one percent say that they’ve updated security policies to account for the rise in working from home, while 78% have restricted access to websites and apps.

“CISOs are dealing with increasing volume, velocity and severity of attacks,” HP chief information security officer Joanna Burkey said in a statement. “Their teams are having to work around the clock to keep the business safe, while facilitating mass digital transformation with reduced visibility. Cybersecurity teams should no longer be burdened with the weight of securing the business solely on their shoulders; cybersecurity is an end-to-end discipline in which everyone needs to engage.”

The adoption of hybrid work environments is likely to exacerbate the security challenges organizations face. Already, 83% of IT teams believe that enforcing corporate policies around cybersecurity is impossible now that the lines between personal and professional lives are so blurred, according to the HP report. Surveys show that most U.S. companies are heading toward a hybrid office workweek. At the same time, cyberattacks like ransomware are estimated to cost $6 trillion annually by the end of this year.

Turning the tide will require that enterprises begin to adequately consider security trade-offs rather than prioritize product and service features and functionality. For example, as my colleague Sage Lazzaro recently pointed out, multi-factor authentication is widely considered a strong defense against many types of password-related attacks, yet relatively few companies have implemented it. An Egress study of IT leaders and employees revealed that 43% admit to not following any security protocols.

“To create a more collaborative security culture, we must engage and educate employees on the growing cybersecurity risks, while IT teams need to better understand how security impacts workflows and productivity. From here, security needs to be re-evaluated based on the needs of both the business and the hybrid worker,” Burkey said.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member



O I Media Network