Security vs. End User Experience – Find the Balance

Have we become so focused on serving our customers that we are willing to cut corners for the sake of speed and convenience, only to subject the organization to security risks? I’m not suggesting that one has to be prioritized over the other, you can provide a great user experience, while also keeping your users’ identities and access secure. It is possible to achieve a healthy balance. 

The recommendation I give most often, that is also most often ignored is “don’t sacrifice security over your employee/customer experience.” A higher prioritization of the end user experience is what sneaks in and derails a great strategic security roadmap.  

Here are just a handful of scenarios I’ve come across in working with clients – notice the lack of balance, in exchange for simplified processes:

1. When onboarding, allowing admins to use the new hire’s credentials to set up their desktop before the employee’s start date, in order to ensure the new hire is up and running the first day.
2. Using a standard password algorithm to allow printing of training materials such as using the first six characters of the new hire’s last name plus the month and day of their date of birth, to make it easier to onboard during high hiring seasons.
3. Managers don’t inform HR in a timely manner  when a contractor is terminated or the contract ends so the business has gotten in the habit of not taking action upon the original contract end date, in hesitation that the contract may have been extended.
4. Access certifications are such a burden to managers and application owners that they become low priority and they try to review access only when they have time.
5. Only the last four digits of a user’s SSN is used to verify a person when they call the helpdesk because it’s the easiest way to verify employee identities if they get locked out.

You should be cringing and/or shaking your head, but if you are not, let me gently point to some flaws:

1. No one should ever log in using someone else’s credentials, for any reason. There is technology to support accomplishing the same result in a more secure fashion. A user’s access should never be active before their start date, giving an admin access to another user’s self-service HR portal, exposes payroll and someone else’s personal details!  
2. I’ll go with the obvious short list: 
   
   1. Have you ever left a company and still remembered their password algorithm? So can a disgruntled former employee. Social media has made it far too easy to learn simple bits of information to guess credentials.
   2. If you print it, it can land in the wrong hands.
3. Lingering access is always a risk - if in doubt, shut it down. If a contractor or employee leaves, the clock for malicious attacks begins the moment they do. 
4. Inappropriate access to the wrong user is the reason identity and access management continues to be a growing solution area…allocate time and resources to make sure access reviews are a priority! 
5. The less Personally Identifiable Information (PII) data is exposed, provisioned across systems, stored, visible within a UI (via Help Desk, admins or unnecessarily stored within an application), the lower the risk.

There are technologies and processes that can address every one of these flaws. It is imperative that organizations balance simplicity with security, not for the sake of it.