Security concerns around IT systems seem to only get worse. Now organizations must contend with cloud computing, social networking, and mobile computing, all of which ratchet up security concerns. Of course, you can boost security but business will suffer. Restrict social networking and risk losing customers. Let managers access data from smartphones and risk compromising data.
“When Security is around, Productivity disappears. And when Productivity shows up on the scene, Security has to take a coffee break,” writes Aaron Weiss for Dell here.
Workers aren’t stupid. They feel the pressure from management to do more, work harder, work faster, no excuses. They know it is a tough economy; layoffs could come at any time. So they take shortcuts, and a handy place to find those shortcuts is security. How can you strike the right balance?
Here are five telltale signs workers are opting for expediency over security:
- Passwords hidden in the most obvious places—convenient, easy to find by anyone, almost never changed
- Leaving a workstation, even for a few minutes, with a session running and connection open—anyone who sits down can do anything
- Putting data unencrypted on insecure, easily misplaced devices (laptops, smartphones, tablets, flash cards)—usually in an effort to be more productive
- Sending confidential data unencrypted via email—no guaranteed delivery, no assurance the recipient will be the one opening it, no control of the data after it passes the firewall
- Failure to follow social media policy—spontaneous discussions with little awareness of security and confidentiality implications
In each case convenience, usually in the name of productivity, trumps security. It is faster and easier to do it this way, workers reason.
But don’t blame the workers. Management, too, sends clear signals that security is less important than productivity:
- Lack of a security policy and social media policy that reflect how efficient workers actually operate
- Failure to cultivate security awareness through regular communication and training
- Reluctance to invest in automated security tools that remove much of the burden of complying with security policy
- Failure to model and enforce proper security behavior, with accountability for security lapses
- Unreasonable productivity demands that drive workers to take careless shortcuts
When management by its actions conveys the message that throughput is more important than sensible protection of valuable data and systems assets inevitably productivity will trump security.
Here are signs the security-productivity issue risks falling out of balance, notes Rakkhi Samaresekera here. The most obvious, of course, is a major security incident. Before you suffer that, however, consider minor security incidents or near-misses as warnings that something is amiss. This might be an increase in thefts of laptops or more frequent virus attacks.
Audit reports should give you a good sense of potential security problems. Don’t just bury these in a file folder that never gets opened. Similarly, have consultants periodically assess current security in light of industry best practices. Again, once you get the report, don’t ignore it.
There are, however, proactive things you can do to enable security without killing productivity or triggering a worker revolt. For example, you can deploy single sign-on which greatly expedites application and data access while reducing the need to manage passwords. To get rid of passwords altogether, you can implement bio-metric authentication. It’s a bit pricey, but once deployed users reportedly love it. Also consider automated ID management tools to rein in multiple worker IDs and roles. Finally, make sure the help desk knows to respond fast when workers have trouble with passwords or otherwise get tangled in security.
Start to minimize the conflict between security and productivity by streamlining business processes within the context of effective security practices with the input of workers. This includes the new employee on-boarding process too. And new tools, as noted above, can eliminate the most cumbersome aspects of security. Of course, all of this requires an investment of time and budget. The payoff, however, is security with productivity.