This is the fourth and final post in a series on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download The new perimeter: Access management in a hybrid world.
In the initial post in this series, we outlined four key considerations to securing your hybrid workforce: identity, shadow IT, the security vs. productivity tradeoff, and security costs.
Now that we’ve seen why identity is the right place to start, and how to secure access to both managed and unmanaged apps, let’s talk about worker productivity and cybersecurity costs.
Productivity vs. security is a false tradeoff
Security software is notoriously hard to use. Instead of making things easier for end users, security tools often introduce new frictions into workflows. Hence the perpetual dance between security and productivity.
The situation also pits IT and other employees against each other. IT’s goal is to reduce their attack surface to avoid a security breach. Employees want to get things done. If security software is hard to use, those two goals are at odds. It’s zero-sum.
And when productivity and security face off, productivity often wins. A recent study found that 85% of employees knowingly broke cybersecurity rules to accomplish a task. IT and security teams are left with an impossible choice: Impose more tools and security measures to strengthen their cybersecurity posture, or reduce friction to help employees get things done. Either you reduce the risk of a cyberattack, or you make workers’ lives a bit easier. You can’t do both.
But those workarounds aren’t a malicious attempt to thwart IT. It’s just people trying to do their jobs. Employees are using their personal devices and preferred apps to get the job done, not to sabotage the company’s security posture.
Making the secure way to work the default way
Resolving the paradox requires expecting more from our security solutions, specifically in terms of user experience.
To illustrate how we might do that, consider the desire path. When building spaces, landscape architects (naturally) include paved walkways in their plans. But those paved walkways aren’t always the preferred route of those who use the space.
When people continually cut across the grass of a park, for example, and eventually wear down the grass to create an “unofficial path,” that’s a desire path. It wasn’t in the designer’s original plans, but that doesn’t matter to those using the space – they’re just trying to get from point A to point B as quickly as possible.
Hybrid work has created a similar, digital desire path. Instead of using only the apps managed by the company, they’re using shadow IT – both on company devices and personal devices – to get things done. That introduces new vulnerabilities. But what if IT could simply secure that desire path, instead of trying to force workers to stick to the paved walkways they’ve been avoiding?
Bad UX is a security risk
If a security tool is hard to use, people won’t use it. Consider a few findings from 1Password’s Unlocking the login challenge: How login fatigue compromises employee productivity, security and mental health:
- 44% of employees say that the process of logging in and out at work harms their mood or reduces productivity.
- 26% have given up on doing something at work to avoid the hassle of logging in.
- 38% have procrastinated, delegated or skipped setting up new work security apps because of burdensome login processes.
And that’s just logging in. If IT teams not only understood these frustrations, but did something about it – say by providing an enterprise password manager (EPM) that did the work of logging in for them – both security and productivity would win.
Strengthening security with a great user experience
Let’s say Taylor, a new employee, is setting up a new Airtable account to check the publishing calendar for their role on the social media team. Instead of creating a weak password that’s easy to remember, or reusing a password, Taylor uses an EPM to generate a strong, random, unique password.
Because admins can customize password policies, the password Taylor creates automatically complies with company security policies. And Taylor doesn’t have to remember that password or record it. The company can even mandate multi-factor authentication, which modern EPMs support.
And the next time Taylor logs in, they don’t have to guess how they logged in. Was it an email and password? Did they log in with their Google account? SSO? A passkey?
It’s all moot if their EPM remembers for them, and automatically logs them in. And when they need access to the company Instagram account (for which there’s only one login for everyone on the team), a colleague can securely share those credentials with Taylor.
To secure access to shadow IT, you have to make it easy for workers to do their jobs securely. They have to want to use the security tool you’re offering. And that only happens when that security tool helps them get things done, instead of getting in their way.
Getting a handle on spiraling security costs
Security can feel like a game of whack-a-mole. New technologies pop up, workers adopt them, and IT rolls out new tools to address the vulnerabilities those tools introduce.
It all adds up. Overhead and tools are two of the biggest contributors to cybersecurity costs. But it is possible to create efficiencies across both.
Reduce and eliminate password resets
IT spends a surprising amount of time resetting passwords. 57% of IT workers reset employee passwords up to five times a week, and 15% do so at least 21 times per week.
That leads to IT spending nearly 21 days of work each year on tasks like resetting passwords and tracking app usage.
But both IT and workers can wrestle back a significant portion of that time with an EPM. For example, in The Total Economic Impact™ of 1Password Business, Forrester found that deploying 1Password results in:
- 70% fewer IT help desk support tickets, saving 291 hours per IT team member each year
- 1,400 fewer hours per year spent by workers resetting passwords or waiting to gain access to systems
Reduce SSO costs
SSO and EPMs can work well together within an identity and access management (IAM) framework. SSO secures access to applications managed by IT, while EPMs secure access to unmanaged apps, or virtually everything else.
But the costs of SSO can add up. It can take weeks or even months to implement SSO, and each application placed behind SSO needs to be configured. EPMs require less custom configuration – it’s a one-time setup and doesn’t require every app to be configured.
And even once SSO is deployed, it only secures access to 50-70% of the apps in use, according to Gartner. IT will have to dedicate time to add new applications, and many of those applications will charge extra for the ability to integrate with your SSO provider, a cost known as the SSO tax.
EPMs not only secure access to the unmanaged apps that SSO doesn’t cover, but also reduces cybersecurity costs with a less costly rollout and by eliminating the SSO tax.
EPMs create efficiencies through usability and reduce costs
As a quick recap, here’s what we’ve covered in this series:
- The four key considerations to securing a hybrid workforce are identity and access management, shadow IT and bring-your-own-device, the productivity/security tradeoff, and security costs.
- Verifying identity starts with strong, unique logins for each service. Using passkeys where possible reduces or eliminates the threat of phishing, and following the principle of least privilege (as part of a zero trust strategy) reduces your attack surface.
- Shadow IT is the way we work now, and the new perimeter includes not only company-owned devices and managed applications, but also personal devices and unmanaged apps. SSO protects managed apps, but we can reduce the likelihood of a data breach by securing access to each unmanaged app with an EPM.
- By making the secure way to work the easy way to work, EPMs reduce cost and create new efficiencies that can save the average organization thousands of hours every year, while also supporting a strong security posture.
For an overview of each of the topics we’ve explored, download The new perimeter: Access management in a hybrid world.
Tweet about this post