Why Your Users Resist IT
Cybersecurity is something your users don't always like. With cybersecurity being a requirement for all organizations in the wake of growing cyberattacks, organizations need to implement stronger security policies. However, we know stronger security policies tend to make this process frustrating for your users, so how do organizations get more of their users involved and improve user adoption? How can organizations smooth out the experience and still improve security?
Listen to the podcast:
It’s finally 2022! What’s one cyber trend users will love and what’s one cyber trend users will hate?
Cybersecurity is something people don't always like, but one cyber trend, I think users will love is the passwordless trend, right? Getting rid of passwords that we have to remember and starting go to ways that don't require us to remember and anything more so something we have or something we are what cyber trend will users hate? I would say it's actually the kind of opposite, which is passwords are still gonna be around in 2022. You know, thinking that we're going to completely eliminate them this year is a pretty lofty goal. And so I think they'll still be here to stay and something that we still have to manage as users.
You're listening to IAM pulse, a podcast, discussing all things, identity access management from defending against cyber attacks and to enhancing your overall cybersecurity strategy. This podcast is brought to you by BIO-key International, an innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
Hello everyone. And welcome back to another episode of IAM Pulse. It's our first episode from the new year in 2022. Today I'm joined by my guest or cohost at this point. She's been running the show longer than I have: Kim Biddings. Kim, how was your weekend and welcome back to the show in the new year.
Yeah, thanks. It's been good. You know, 2022 started off interesting. I would say for a lot of us out there fighting the pandemic still, but doing well. Well, happy to be back.
Sounds good. Yeah, no speaking of starting the year within the pandemic I believed to have COVID still recovering, but yeah, that first week, wasn't that pretty? But no, we're covering now in the second week of January, so doing pretty well. But let's talk about our topic of discussion mm-hmm <affirmative>. So based on the title of the episode, why users are resisting cybersecurity? Let's talk about it jumping into the main topic of the episode how users react to cybersecurity. <Affirmative>, you know, we always talk about how important cyber security is today, but it's come to the point where cyber security is a must have requirement for all organizations. Mm-Hmm <affirmative> so Kim, why is cybersecurity a requirement at this point?
Yeah, sure. And, and, you know, after over 10 years of this, I'd say it's always been a requirement. I think it's just now very odd, obvious for those organizations that have kind of dragged their feet, or haven't really, you know, brushed up on cybersecurity controls. Mm-Hmm <affirmative> it is now a requirement more than ever. You know, some stats that stood out to me recently was there's been a, a 300% increase in cyber attacks since the start of the pandemic in the us alone. And then the new kind of report out there, or statistic on ransomware that kind of opened my eyes is that a business will fall victim to a ransomware attack every 11 seconds. Oh, wow. Yeah. So, you know, for those of you listening in that are thinking about improving cybersecurity or thinking about putting it in the reason it's a requirement is because just the influx of attacks the business that people are making now out of some of these things like ransomware as a service is just exploded. You know, the pandemic, everybody went and remote services went online very quickly. Businesses had to adapt quickly and cybersecurity got left a little bit by the wayside and really opened up the attack vectors for hackers if they weren't there before. So it's just become even more important than it has been in the past. And I think there's new challenges and, and definitely new hurdles to overcome, especially for businesses that weren't prioritizing it before.
So, How do organizations protect themselves from outside influences?
Yeah, no great question. So, you know, it's a requirement at this point. And so looking at how do you protect yourself? You know, one of the very baseline things that now is pretty obvious and, and can prevent ransomware attacks and other attacks by up to 80 to 90% is multifactor authentication, right? Getting away from passwords which we have been talking about for, well over a decade. But it's just, you know, more and more evident that passwords and using credentials that are easy to guess or that people can't manage well are really an open attack vector. So organizations thinking things like multifactor thinking, things like zero trust, right? Don't trust, anything, implicitly, make sure that we are always verifying the identity, getting more granular policies in place. And then I always tell people too, make sure you have that response plan, right. That, that plan in place when something does happen or when that attack happen, it will. And how do you respond to it is gonna be that next part,
Right? Yeah. We've seen and written about the love, hate relationship between users and cybersecurity solutions. You know, users having to get themselves involved in this is definitely a big way to, or it's become more important now to definitely improve cyber security measures. But on that note, Kim, to ask as a vendor, why or where do you see users resisting cyber security?
Yeah, that's a great question. And you know, my, my little mantra is kind of like security is only as good as it has been adopted, right? If, if the security precautions you put in place are being circumvented or not used or adopted by your users, then it's not in place, right. It's not a, a barrier at all. From a, a user perspective and resisting, we don't like disruption. We don't like logging in. I don't like logging in and it's the business we've, you know, I've been in and talked about for a long time now. And so the main thing is people don't like change, right? We're very much creatures of habit. There's plenty of studies out there. That'll show like our brains pick the path of least resistance, right? Almost every single time <affirmative>. So the change coming into my daily operation is one thing.
And then cybersecurity for most people is always a thing that they have to do. It's not a goal that really contributes to their daily business. So, you know, we're in marketing, right? We have our own team goals. We have our own objectives. We're trying to support the business cybersecurity and keeping our passwords, you know, secure or making sure we're doing our multifactor best practices. Usually isn't on the goal list for every department of an organization. So a lot of times security is seen as getting in the way of the business being able to, to conduct business. So it's, it's definitely a controversial topic. I think too, like as, as these cyber attacks increase the challenge and the rub becomes a little bit harder because now how do we prevent these attacks? We have to prevent them and how do we not disrupt users?
And I think that's really where it's gonna get more challenging. I think zero trust brings that in with like more granular controls and a lot more often or a lot more checks more often as to are you who you say you are and all of that can create friction and disruption for users. So there is that love, hate relationship. I think it it's going to continue you know, the best authentication or the security control for users. One they don't see don't know is there and doesn't impact them, but that's pretty hard to achieve.
Yeah, that makes sense. Yeah. Us as users really don't like change. I know when Google required MFA I first it felt really disorienting. I think another reason users hate cyber as a whole is just the annual password changes. Yep. Remember when I was a student, I remember having required password changes every year and it got so annoying. Mm-Hmm, <affirmative> it made sense. As we all know, hackers, wouldn't guess our passwords, access crucial information, but as the user, I know what most people tend to do. I did this myself we just changed the last number or character and our passwords. So we had two, just went up to three, obviously it's not secure, but it also, hasn't been very convenient either.
Yeah. And I think that's, you know, that's part of the challenge too, is helping people understand why it's so important to do that. Mm-Hmm, <affirmative>, you know, it's one thing if I told you, Hey, somebody might hack into your student account and get your information. That to you is a concern, but until you feel that pain or you really think it's gonna happen to you, or it happens to your best friend, it's not as much of a, a urgent need or concern. The more you can give people reasons as to why they need to be concerned with cybersecurity in terms of protecting the business or reputation or what the actual damages could be. If someone gets your information, not just they got it, but what happens after that mm-hmm <affirmative> is really important, cuz otherwise it doesn't me telling you that you need multifactor.
A, a lot of people don't even know what multifactor authentication is. So it right. Translation problem, as well as to like what's the value of these controls and why should you have to do them? I've seen some really creative ways organizations have rolled out controls with marketing campaigns actually because they have to get user adoption. So that's the other issue I would say is kind of that lack of understanding and, and translation, you know, ability for kind of the common user, you know, you think about before last year, most average, you know, people in regular positions, et cetera, aren't gonna know what ransomware is. We now know <affirmative> ransomware is because of colonial pipeline, other big attacks. But before then most people are walking around asking about what ransomware attacks have happened recently. You know? So mm-hmm, <affirmative>, it's, it's definitely an education curve, I think in a lot of cases as to how do you educate people to get them to want to participate and adopt the control?
Right. Mm-Hmm <affirmative> so we've talked a lot about what organization have implemented but not specifically what they try to do for their users. So I think we know that organizations have to train their users to understand the new cyber security policy in place. Mm-Hmm <affirmative> I think there's this difficulty that there's just set when it comes to cyber security awareness training. I think you hint it upon it as well. Mm-Hmm <affirmative> but for one we, we know that a lot of users don't understand the security change is the need for them. And the jargon that goes on in the world. I think saying like the words that we use every day, the acronyms MFA SSO IAM zero trust tends to be confusing for those who don't really attend cyber security webinars or just generally speak cyber security throughout the week. And so if these users tend to resist change this way or just are, you know, not understanding properly the acronyms, the jargon, the lingo, it might be difficult to train them to begin with. So let's talk about this a bit more. So Kim, why is it difficult to train employees about cybersecurity policies?
Yeah, I think it's, it's a little bit too of who has to train them. Mm-Hmm <affirmative> so, you know, we talked about like the language being different. The other thing too is often times it departments are not in the business of marketing. So, you know, understanding your target audience, understanding what, what matters to them, what the value is to them. How do you position that? How do you message that to them? You know, that takes a lot of overhead and a lot of effort. And, and it is hard to bridge that we used to call it geek speak to business speak, you know, but it mm-hmm, <affirmative>, it's hard to make that bridge and it's also hard to do marketing and marketing campaigns and things if you're not in that department or that's not your typical approach to projects. So I think, you know, later on we talk about some things about what to do about it and I'll provide some, some recommendations there, but I think it's challenging because you are kind of putting on a different role of actually training and marketing to people. It's not something that's typical done or is, is always done well in the IT team. And usually IT teams that are limited and resource already.
Yeah. So following that, I think just also hate the cybersecurity webinars that come with these changes. I know. And the, and the issue also comes that people who are in cybersecurity aren't teachers first, I think mm-hmm, <affirmative>, they care a lot more about the cybersecurity as a whole you know, not every cyber security professional is a professor or a teacher. And for the average users, you know, the word zero trust MFA can go easily over their head. And it's not really their responsibility to know exactly what they mean. So it be, they become irritated when it comes time to adjust security measures. Right. so besides the mandatory changes, there's this divide between security and convenience, mm-hmm <affirmative> like not only are you telling your users, your security is gonna get stricter, but also you're expected to give them a better user experience.
Mm-Hmm <affirmative> it's a pretty hard ask. I know we've always talked about it as well, right. And a better user experience. The key difference for many industries, many businesses. I know we've talked about higher ed being one of those. For example, to imagine this a better user experience as a student if you make this student experience better students who can easily access the payment information class schedule, et cetera, is just a differentiator now for a university that a student can choose mm-hmm <affirmative> so imagining that, but in the business side we're looking into that, but mix that with a difficult or more complex security process. And now you have the situation of what's a balance mm-hmm <affirmative> so Kim, is there a way to have stronger security in a better user experience?
Yeah. That's, I mean, that's been the key question as you mentioned, right. And, and we used to say balancing security and usability security and convenience user experience and security. I mean, that challenge has always been there. And it's kind of the conflict that the, the it director out there, you know, we even know that they, that that's a challenge for that role is like you're in charge of keeping the business safe, but at the same time, you also need to provide technology that doesn't disrupt anybody mm-hmm <affirmative>. So I'd say in terms of, you know, finding that perfect balance, I don't know if there's a perfect balance. I think there's a couple ways that I would, I always recommend for people to go after this, this challenge, and try to make it as smooth as possible. The first thing really, for a recommendation that I have is making sure that you understand your users.
So I remember working in healthcare, for example, we used to spend a long, long amount of time before implementing any changes to let's say authentication. We would spend observing clinicians working in their environment. Mm-Hmm <affirmative>. And so looking at that, you knew, for example, that an operating room where the doctors in there for 12 hours and doesn't change the staff doesn't change, nothing else happens in the at room. That's something that you would want different controls on and different feature sets versus in an emergency room where there's a shared workstation and people are very quickly, you know, going up to it to do record and charting. So knowing the workflow of the person and trying to give them something new or change that workflow, you have to understand their workflow first. So my, my first recommendation has nothing to do with technology. It actually is just know the people that you work with mm-hmm <affirmative> and address those workflows.
And then I always say, you know, make sure that when you're implementing security, you are trying to find ways to give usability as well. And so we talk a lot about right, putting factor authentication in place, so requiring more authentication, but then combine it with single sign on. So they don't have to do that authentication more than once, right? Mm-Hmm <affirmative> make them, you know, do a more extensive login, do the multifactor authentication, but then don't have them remember or have to log in again, for every single application that they're going into. That's just a very easy kind of security plus usability introduction that will help improve that user experience and then give really a secure login. The other thing I would, I would point out is definitely contextual authentication or what we call adaptive. Mm-Hmm <affirmative> and that pulls in context around the authentication.
So you, as you could, you know, require more authentication like additional factors, but also you can reward behaviors that are showing as like in the right geography at the right time of day, right network, right. If all the context checks off, maybe you can lessen the authentication a little bit, make it a little bit easier for people. And then I think the, the big, you know, one that you and I have talked about, and we talk about a lot here is just the options that people are given for logging in and the options that we have for authentication, you know, our, our traditional MFA is still pretty inconvenient, risky and expensive, you know, or the three things that I think of. It's not very efficient and Will, you, you and I go through this, you go to log to our, our website in the backend, right.
And it requires a Google authenticator. I have to type in my username, my password. I have to then find my Google authenticator app. I have to open my app, assuming I have my phone. And then I have to type in the code back, asked enough in that period of time. It's very disruptive to me as a user. And so, right. You know, there are other options and it's A figure out what options work best for the user in their workflow. And then B you know, we recommend highly picked biometrics biometrics doesn't have anything extra to carry. It doesn't have anything extra to remember. You are your authenticator, essentially when you're, you're walking around right. With your biometric mm-hmm <affirmative>, and it's extremely, extremely secure. So you're not giving up on that security element. So it's something into consider. We definitely recommend at least consider biometric authentication as part of your plans.
Right. Well, as we continue to say, data breaches are no longer matter if, but when and the best time to find a balance, if you know the best possible balance between convenient security is now mm-hmm <affirmative>. I know in 2022, we expect more orgs to implement stronger authentication methods or models of zero trust. The cyber, the cyber is gonna affect the users regardless. So for it teams, it's more important now than ever to get as close to a perfect balance as possible. So, Kim, what do we do about it? You know, we've talked about how organizations, you know, need to support their users as well as their security measures, but what are some steps or tips that you can give?
Yeah, sure. So you know, kind of summarizing up, I think some of the things we've hit upon, but I'd say first step, understand your people and how they work. What's their day to day, what's their workflow, where are they accessing from what are they doing? What applications, right. Really start to know your, your users and who they are and what they need implement cybersecurity awareness training programs. There are some phenomenal companies out there that offer these out of the box. But very important that cybersecurity awareness is ongoing. It's not just the month of October, right. But it's throughout the year. Another thing I, I would recommend strongly is get champions maybe a couple of them, especially across non-IT departments. And one champion I'd recommend getting is somebody on the Csuite or the C level, because oftentimes it's the executive team that are the ones that say, I don't, you know, need this new control or this controls getting in my way. I, and so getting a champion that speaks kind of the business language can help you translate and share the information is really, really important. We talked about authentication options, right? Especially biometrics as is the most secure and convenient way to do authentication, make sure you're considering that. And then the last advice is also include things like single on or self service password reset to completely eliminate passwords as much as possible and give people options to help manage them on their own.
All right. And with that, we conclude this episode of IAM pulse. Thank you for listening to the show. If you wanna learn more about how we can help perfect the balance between security and convenience, go to www.bio key.com. Again, thank you to Kim for joining joining me today. And with that, we wrap off talk to you all soon.