Feature

5 ways users circumvent security measures and how to prevent it

Mary K. Pratt November 30, 2017

Workers usually choose convenience over security, especially if you force them to jump through too many hoops. But there are steps you can take to shift the balance back in security's favor.

As a cybersecurity expert, Richard White supports locking down sensitive data to keep it out of the wrong hands. On the other hand, he says, companies go overboard with restrictions.

Those excessive restrictions can be self-defeating if they lock out workers, too, making it hard if not nearly impossible to do their jobs efficiently. So, they find workarounds. It’s a scenario that slows productivity and, ironically, puts the data itself in jeopardy.

[ Learn how to write a security policy and view our collection of sample policies. | Sign up for CSO newsletters. ]

White points to a specific incident he witnessed at one office: A worker took a photo of protected information on his computer screen so he could take it with him to finish a job. “If security measures are overly complex, the first thing users are going to do is look for a way around them, and then the security measures completely fail. It’s imperative that cybersecurity professionals really take a look and tailor their policies and procedures and technology based on what the actual security risks are. It has to be a justifiable mix of rational security measures and what the users are trying to accomplish,” says White, author of Cybercrime: The Madness Behind the Methods and managing director of Oxford Solutions.

Cybersecurity teams don’t need to overhaul their operations to achieve a better balance of security measures and usability, White and other experts say. They can instead start by addressing several common areas where workers tend to sacrifice security for productivity.

Complex password requirements

Passwords are a security staple, yet security officials say organizations have created such complex password policies that they’ve shed their protective powers and instead have become vulnerabilities. These policies often require workers to have overly long passwords with too many required features (e.g., upper- and lowercase letters, numbers and symbols along with a minimum number of characters). These policies also often require workers to change them at least every several months.

As a result, workers write them down or, perhaps even worse, store them in a computer file in order to remember them. White says he worked with one company that had suffered an external hack, which was traced back to a worker with administrative-level credentials who had stored his passwords in an electronic file. Although it’s unclear what role the stored passwords played in the case, White says it certainly highlights the problem.

Of course, White and other security professionals say, passwords still have their place. They recommend organizations be smarter with their password policies and limit the complex requirements to more reasonable levels.

Sharing passwords

On a related note, Tim Crosby, a senior security consultant with Spohn Security Consulting, Inc. in Austin, Texas, says some workers also share their passwords with colleagues. Although it’s not smart from a security standpoint, he says workers do so because they need to share access to their files with co-workers. He says it happens at all levels within organizations – from executives sharing passwords with their assistants to lower-tier employees who are collaborating or covering for each other on days off.

To counteract such actions, he says cybersecurity teams should work with the business to more accurately identify which users need access to which files and then create policies on how to security-enable that shared access.

Sign-in overload

Organizations don’t just have a problem with the complexity of their password requirements; they also have a problem with the number of times they expect workers to sign in overall. Many workers have multiple log-in and authentication requirements to contend with throughout their work day, which they see as a drag on their productivity, says Alvaro Hoyos, the chief information security officer at OneLogin, a cloud-based identity and access management provider.

He and others say such drags push workers to circumvent log-in requirements by, for example, transferring the data they need out of secure applications and putting it in an easy-to-access spot where they can work without worrying about having to log back in if they step away from their desks for a few minutes. Security teams have several options to address such scenarios, says Rob Stroud, a principal analyst with Forrester Research and past board chairman with ISACA, an international professional association focused on IT governance.

Solutions include using identity management and single sign-on solutions, tokens, the more advanced User and Entity Behavior Analytics (UEBA) capabilities that distinguish among normal worker patterns and anomalies that indicate a potential threat that needs to be shut down, and biometrics where quick and easy access is needed. “You have to find the right balance between security and convenience,” Hoyos says, adding that security professionals should be aiming for “frictionless security.”

Data held hostage

The need to protect sensitive data has become paramount for most organizations, yet cybersecurity leaders say many organizations have created so many unnecessary layers of protection that they’re slowing down productivity and pushing workers to unsafe practices. The evidence of such worker frustration is mounting. White’s example of a worker snapping a photo of the information he needed is just one anecdote security officials have witnessed. Others say they’ve witnessed workers copying files, transferring documents, and using unsanctioned file-sharing apps.

“Many managers don’t realize how easy it is to grab data,” Crosby says, adding that such workarounds poke holes in the organization’s protective layers, thereby increasing risk. “It’s not a new dilemma, it’s part of the security paradigm. Every time you make something more secure, it’s less user friendly. People are smart; they’re going to find a way around it, especially if they don’t understand the why.”

White says organizations should recognize that they’re creating problems for themselves if they treat all data with the same sensitivity. Instead, he and others say security needs to spend more upfront work on data classification to protect the truly sensitive pieces of information while removing barriers to the less sensitive information that most workers use for their jobs. “It’s hard work, but it only has to be done one time,” White says.

Cumbersome workflow

Workflow is another point where security and productivity collide. Wouter Koelewijn, senior vice president of the Scanning Division at Y Soft, a print management solutions company, says he sees workers sharing, scanning, emailing, and printing documents in the normal course of their duties. They’re either not aware of the potential security risks, or they are but move forward anyway because they must to get their job done.

Koelewijn doesn’t fault the workers; he faults the design of systems that doesn’t easily accommodate the existing day-to-day workflow patterns. “The behavior we see from users is if you ask them too many questions or to classify documents, it’s out of balance with what they want to achieve, so they’ll find their own solutions,” he says.

He and others say companies need to invest in the technologies and system designs that make it easy for workers to follow the rules and, more importantly, automate as much of that as possible. For example, systems should be designed to securely scan documents identified as sensitive without making workers jump through hoops.

“We have to look at the human process flow, so security is not obtrusive,” Stroud adds. “We have to look at these process flows and insert security appropriately and based on the risk, so there’s not one size fits all.”

More on passwords:

RECOMMENDED Partner Content