My response to a HARO question: Finding the right balance between IT security and employee productivity can be tricky. You want to ensure your company and its data are secure, but you also don’t want policies and protections that prevent employees from being able to easily do their jobs. How do you find the right balance? What are the most important issues to consider? How can you tell if your enterprise security is off balance?
In general if there is a way to do something securely there is a way to do it cheaper and faster insecurely. So the balance is far more likely to tip in the favour of productivity or convenience than security.
There are a number of ways that you can find out when the balance tips too far away from security. The typical ones are as follows (from least mature to most mature organizations):
A major security incident - this is typically too late but just like 9/11 there is often no action until there is an incident
There is an increase in frequency of minor security incidents or a near misses - increased loss or theft of laptops or mobile devices, increased amounts of viruses on the network. These are a good warning signal that something needs to be done
Audit reports, penetration tests - if you have an internal or external audit department they will review the security controls. If you handle card data then there is PCI-DSS assessors. Your applications and infrastructure can have technical security tests and vulnerability scans. An increased severity and number of findings can be a good indicator the balance is tipping
Metrics - if you have setup some security metrics that are being monitored on a regular basis, when these start to go into the red, and amber this is definitely a signal on the overall security posture. Tips here on setting up metrics.
However there are areas or processes where the balance may tip the other way, where poorly designed or implemented security will hamper productivity. Usually these are are opportunities where with some investment in process and technology you can get productivity and security improvements. Four key areas are:
Time and effort to on-board new staff and gain access - if new staff do not have the IT access they need to be productive from day one, if it takes weeks to get access to an application, there are opportunities for improvement. A survey of line managers and staff that have started in the last 6 months is good way to get some data on this and find out the pain points. Process improvement opportunities usually exist in defining access templates for common roles. These can be pre-approved and save time over specific individual workflow and approvals. Investing in some identity and access management tools or just scripts that automate access provisioning can save a lot of time e.g. when someone is added to the HR system they automatically have an Active Directory account, email account and Internet access
Password reset - if account lockout policies are set to requiring an administrator or helpdesk to reset, especially on 3 strikes and out - There have been places I have worked where over 60% of helpdesk calls have been for password resets. There is opportunity for the balance to tip towards more productivity with minimal increase in security risk. Mathematically the increased risk of guessing a minimum 8 character, complex password (alphanumeric, special characters) in 5 or 10 attempts compared to 3 is minimal. Providing an auto unlock every 15 - 30 minutes means users can have another attempt after getting a coffee or lunch, saves you helpdesk calls while still providing a very good defence against password guessing or bruteforce attacks. Providing a password reset self service process if you design it well, it with a good combination of secret questions and/or combining a second factor such as a SMS one time password can mean staff are not left waiting for the helpdesk and cut helpdesk calls.
Single sign-on, federated access, eliminate the password - for a few more technical options. If you have a few 100 applications and infrastructure with all their own username and password then there is a fair chance your staff are spending a lot of time logging in, remembering and resetting passwords and probably writing them down or storing them in spreadsheets. If you add the myriad of external applications for any outsourced services such as CRM, HR or timesheets it only gets worse. If you have a directory like an LDAP or Active Directory many applications will integrate with this. OpenSSO now continued by Forgerock provides some really quick and easy options to get single signon for your applications and achieve federation. Ping Identity is another quick commercial option. If you can use a smartcard that is also used for physical access or facial recognition via webcams then you could eliminate the password altogether and provide stronger authentication for your single point.
Secure collaboration with external partners - sending information out of the company or using external collaboration software maybe where security has imposed quite strict controls. This could mean grapping with password protecting documents, email encryption and just struggling to get effective collaboration. If the enterprise has technologies such as Sharepoint then these can be externally exposed while still maintaining security controls. Google applications now with an extension to share office documents and supporting strong authentication is worth considering and Dropbox is another favourite of mine.