This blog post is based on a webinar, ‘The Tension Between Effective Security and Employee Experience’, which can be viewed in full here. It is the sixth webinar in The New Workspace series. The event featured the insights of Thomas Hatch, CTO and founder, SaltStack; Kurt Roemer, Chief Security Strategist, Citrix; and Jennifer Szkatulski, Security Intelligence Analyst and Technical Strategy and Innovation Lead, IBM.

IT plays a pivotal role in employee engagement, which has become even more of a priority for business leaders since the mandate to work from home. Employees need to work from anywhere and want to use their own devices — and workplace expectations are evolving fast. But with more user endpoints and remote workers than ever before, security risks are on the rise.

In this webinar,  we considered how businesses optimise their security strategy in a way that doesn’t compromise employee experience. Amid a pandemic, and beyond, how do they foster a culture of security, privacy, and compliance that is focused on human outcomes and not just on the technology itself?

How do businesses optimise their security strategy in a way that doesn’t compromise employee experience?

Since the outbreak of COVID-19, employees have been thrust into a work-from-home scenario, which many businesses were not prepared for. As a result, individuals have been left working on untrusted home networks, on personal devices and unsanctioned consumer-grade applications, which has opened organisations up to new and increased risks. It is important businesses make sure they are not exposed, while ensuring any new security measures they put in place do not have a negative impact on the employee experience.

Thomas Hatch, CTO and founder of datacentre and desktop automation software SaltStack, says that, in the current situation, “individuals will do everything they can to get their jobs done, even if it means bypassing the security that has been put in place for them”. He advises that businesses should make sure the security components they select not only help the employee to do their job in a more secure way but also allows them to do their job more easily. He suggests such measures might include zero trust security, single sign on, and easy-to-use multifactor authentication.

Kurt Roemer, Chief Security Strategist, Citrix, says that now that we are past the initial panic phase caused by COVID-19, organisations should prioritise what it means to optimise the work-from-home experience, particularly in relation to security. “It helps if management and IT can work together to understand what the employee experience is today and what it could be, and they have a plan for getting there,” he says. “Employee experience isn’t some ambiguous concept; it is something very tangible that we can measure, codify and work towards.”

What causes the greatest tensions between security and employee experience, and how do businesses overcome that, particularly with many workers still based at home?

Often, when it comes to security, the needs of the organisation and the protection of its assets are put before the needs of the individual. Yet, simultaneously, employees are under pressure to deliver and will often do whatever it takes to achieve their goals, with security not always being front of mind. This dichotomy is exaggerating tensions between security and employee experience.

“When you look at what corporate IT has delivered over the past few years, it has been an experience centred around the technology,” Roemer says. “However, now that technology is ubiquitous, we are having to deal with other issues such as disruption, agility and home-life balance.” He argues that security should go beyond the employee experience and look at “human experience”, which considers everything from whether an individual is an introvert or an extrovert, through to how their workspace — from physical space to family — factors into their productivity and security.

Hatch agrees, saying “we need to focus on creating technology that is legitimately improving human experience”. He says organisations have been too focused on building technology to achieve specific business outcomes, instead of using technology to help improve lives. “We need to change tact, so that instead of seeing the security holes we need to plug, or thinking how we can crank more work out of an individual, we take a step back and see the bigger picture.”

Are cyber attacks at home a big concern for employers right now?

“When we are working on our home network, we are the most vulnerable part of the network,” says Jennifer Szkatulski, Security Intelligence Analyst & Technical Strategy and Innovation Lead, IBM. She says that between March and May of 2020, phishing attacks increased exponentially, often exploiting COVID-19 related themes. “The home user was the attack component, because people were starving for information and were an easy target,” she says.

Hatch claims COVID-19 and the mandate to work from home has turned existing notions of cybersecurity on its head. “The rug has been pulled out from under our feet and networks that we used to be able to secure have suddenly become more problematic. … We are beginning to look at things and question what the foundational fabric of cybersecurity even looks like now.” Hatch also says that people are far more willing to open a phishing email when they are in the confines of their own home, with no one looking over their shoulder. “Those human elements have crept back into the conversation,” he warns.

To look at it from the employee’s perspective, people are finding alternative channels to communicate and get the job done. How do businesses assess and manage this added security risk?

According to Hatch, people will log in to anything to get the job done. With so many people working from home, this is creating new attack vectors since home devices and home networks are far from secure. “We can’t reasonably deal with the diversity and disparity of devices in home networks, and so, we need to take a fundamentally different approach,” he argues. Hatch says the solution lies in creating a computer experience that is focus-centric, rather than distraction-centric, because data and security breaches often come about when a person is distracted, causing a lapse in judgement. “If we can optimise the individual experience where focus is something given to them, that would be far more beneficial, from both a human and security perspective.”

Szkatulski says the organisation must do all the heavy lifting, while also making it easy for individuals to behave securely. “Give employees access to backup systems, to antivirus software, to VPNs, and all of the things they need to secure their home systems,” she explains. Meanwhile, “organisations need to detect and authenticate what they can on the back end”.

Roemer says organisations need to provide better guidance for workers, while also automating away as much as possible. “We need to educate people that the physical environment really does matter and can give away too much sensitive data and privacy, but we also have an opportunity to automate against some of the risks across their workspace,” he says.

Analytics capabilities today can remind an individual to close down personal social media, for example, when they are about to enter a sensitive business conversation. “People were very used to the physical protections of the workplace and once those were removed, they can start to feel a little too free these days,” Roemer says. It’s time to focus on the human experience of the workspace to deliver optimal productivity and security outcomes.

Zero trust is a popular term yet means different things to different people. What does it mean to you?

For Hatch, zero trust means that “I need to do certain operations, and my access to the systems executing those operations is isolated to just those operations”. So, in effect, the individual and their actions are only trusted within the parameters of what they are assigned to do. The worker is not trusted with broad-level access. The result, says Hatch is that while it is possible for people to carry out their tasks from a highly secure perspective, there is also a flexibility scale issue. “The more we restrict someone’s functionality and their access, and the purpose of what they are doing, the more we restrict their flexibility and creativity. It is this balancing act,” he says.

“All trust is earned” with zero trust, says Roemer, who thinks of trust as actions and transactions while ensuring everything a person does is “continually situationally aware and contextually risk-appropriate”.

“If you think about the different situations people switch to throughout the day across different devices, networks, locations, projects and teams, a zero trust state allows an organisation to respond contextually,” he says. “So, you are not just looking at context during a login event, but rather you are continuously re-evaluating trust factors as situations and risk levels change to ensure that trust is appropriate. Only if it is, do you proceed.”

Moving Forward

As organisations continue to process the changing dynamics between cybersecurity and employee experience that the global pandemic has triggered, it is important they prioritise creating a culture of security that permeates into everything that individuals do, on a daily basis. Employees must learn the importance of what it means to take security seriously and be empowered to do so, rather than assuming it will be done for them. However, this must be balanced with the understanding that employees aren’t, and have no aspirations to be, security experts, and that security measures and frameworks should not impede on their ability to do their jobs and be productive.