What hackers inside your company are after: Convenience
Digital transformation is not a technology trend. Rather, it is a convenience trend. Businesses are changing because customer expectations demand it. Each day, consumers find yet another use for mobile connectivity. Corporations, meanwhile, hasten the rush of data into the cloud. And the so-called Internet of Things, or IoT, is woven more tightly into the fabric of our lives.
The truth is we’ve all become addicted to the amazing, modern conveniences driven mainly by advances in connected computing. Unfortunately, this pursuit of convenience has created problems in its natural opposite: security. Nearly every measure of security costs us convenience, and nearly every new convenience opens up new security concerns. Some hold that rapid advances in convenience across the digital world are directly responsible for a concurrent rise of data theft.
But outside of global trends, we have more immediate concerns as business leaders. We must respond to this desire for greater and greater convenience from our customers. But we also can’t ignore that this desire extends into another key group, our fellow employees, which is even closer to us. The issue is that every security measure we implement costs them convenience, and they don’t like it, and they don’t take it lying down.
The rising threat of convenience hackers
Employees have become convenience hackers, and often a policy they are ignoring, or a workaround to security technology that they’ve concocted, leaves us worse off than we were before we implemented the security measures in the first place. These convenience hacks are often the way that a bad actor finds his or her way into the network, and where the real damage is done.
As a consequence, our model for thinking about new security solutions needs revision. Currently, we tend to focus on the evaluation of a new solution on the real or desired benefit in data protection. We also take into account its economic cost, both direct and indirect. But the impact on convenience is often forgotten or becomes a lower priority consideration.
In many respects, discounting the user experience is not a new problem. Two decades ago, Alan Cooper published “The Inmates Are Running the Asylum,” a seminal book on the subject and an early indictment of software design that hampers utility and prevents users from taking the right path. He wrote, “In the information age, as computers invade our lives and more and more products contain a chip of silicon, we find that what lies between us humans and our devices is cognitive friction.”
The author’s advice has been heeded in the design of consumer products, from smartphones and video streaming services to Fitbits. But, as the imperatives of cybersecurity tighten around IT departments amid skyrocketing data breaches, convenience is being pushed aside in a reflexive return to the old binary equation. In short, cognitive friction is alive and well in the security solutions that are making their way into use.
No one says change is easy
The fact that change is hard was illustrated by the reaction in many circles to a study on the future of identity and cybersecurity from IBM. Released early last year, the report was widely hailed as evidence that users, at last, understand they must forego convenience for security.
“Users of both mobile and desktop are wide awake to what’s happening with each new high-profile breach, and it’s made them change their priorities,” read one of many blog posts challenging studies that have highlighted users’ need for convenience. “Strong security and privacy are now at the forefront of the average users concerns.”
In fact, the IBM study found that while consciousness of security is improving, users are often willing to hack security solutions if it will save them a few seconds, young adults in particular. More than half of those under 35 in the study stated that they’d look for ways to end-run a new security protocol if it would save them between 1 and 10 seconds.
Yet expectations of convenience remain at odds with the need to maintain strong access controls, and CISOs must contend with an explosion of cloud and mobile applications which are now layered atop on-premises applications. They also must enable and manage a geographically distributed workforce and partner ecosystem that often makes it difficult to distinguish between employees, contractors, vendors, partners, and even customers.
The reality that convenience is the coin of the realm in the age of Uber and Amazon, is in itself is an argument for a new model, and it challenges us to think about why Cooper’s ‘cognitive friction’ has eluded so many security departments.
Factoring in convenience
When the impact to the end user is factored in, it’s often in a binary way. Whether it’s a consumer service agent managing a bank account for his customer or an engineer managing her regional power grid, decisions are made with some version of this question: Will users revolt, or not?
It is up to us to find new ways to implement security solutions that have less of an impact on convenience. We should think about the trade-offs as a convenience vs. security exchange rate, a sliding scale that is less a binary choice and more an analysis that recognizes that not all security solutions are equal.
This means that each security measure, from policies through to processes and technologies, has to be evaluated on multiple dimensions. How much additional protection will it provide? What is its economic cost? What is its cost (or benefit) in convenience to the people who are inevitably impacted? Most importantly, how much incremental protection is provided relative to the inconvenience created?
An example of the exchange rate at work are the unintended consequences of the adoption of a password manager, which typically stores multiple weaker passwords securely in a vault protected by a single, very secure password. Unfortunately, that difficult password is vulnerable to convenience hacks, as all difficult passwords are, and often ends up in an easy-to-steal place like on a post-it note or inside of a file on the computer. Once stolen, that single password unlocks access to all that user’s systems. That’s a costly trade off.
Alternatively, security solutions like fingerprint access to mobile phones are at the other end of the trade-off spectrum. They provide dramatically better security while also actually creating convenience for the user. Technologies like these, that integrate security more tightly into existing infrastructure and behave less like a bolt-on that creates steps for users or extra headaches for IT, are the rare win-win.
We’re increasingly seeing this awareness represented by providers of security technology, who focus heavily on implementation models that increase protection without significantly sacrificing ease of implementation and maintenance for IT or impacting users negatively.
Those who buy or develop security technology must remain most cognizant of the need to remain low-impact, keeping that convenience and security exchange ever-present in their minds. They must embrace the complexity and do the work to offer both heightened protection and greater ease-of-use, or they risk becoming a victim of the ruthless calculus of users in the age of convenience.