How can IT leaders strike a balance between security and customer experience?
Sort by:
My approach is security by obscurity—I don't want anybody to notice it, except for the MFA. Anything beyond that, I don't want them even to see it. When I was at a former company, Fire Eye had a service where they sandboxed all your links, so I got Z-Scaler. I created scripts, etc., to auto-cure Z-Scaler when it broke so people wouldn't get disrupted. That was big because no matter how much awareness training we did, if I sent out a fake phishing email then everyone would click on it, so I knew they would click on a real one.
Then I had a Rapid-7 tool that blocked impossible logins. It would tell me where somebody's logging in from, what they're logging in to, time, date, what kind of machine, etc. And I had a cloud access security broker (CASB) solution, where when somebody quit and they started downloading all their stuff out of Box, I would just cut off their account automatically if there was any anomaly from their normal daily behavior. All this stuff was automated, and nobody really saw it unless you were trying to steal.
Finding ways for customers to protect themselves from their own idiocy is the best way for us to apply security.
When users click on a phishing simulation, we give them a mandatory 10 minute cyber security course, but there are still repeat offenders. You should always go with the assumption that at least someone in the organization is going to click on a phishing email, however well you train them or raise their awareness.<br><br>We do external assessments to rate our overall security posture, and now we also bring someone in to try to breach our environment, send out a phishing campaign, let one of the accounts get compromised and see how far they get. If they're able to get through our protections, then there are gaps in our security and we need to work on those.
There are two things that we always focus on. One is: what are doing about wider protections against attacks, and anything coming into or leaving our environment. That is more or less transparent to any of our users because they don't see that, it's more of a back office function.
The second focus is the user aspect: how well are we protecting our endpoints? Endpoints could be laptops or mobile devices that our users are on. When the user performs any activity, whether it’s opening phishing emails or not, what kind of defense mechanisms do we have? We run our internal phishing simulation campaigns every few months and there is a percentage of the population that will always click on them. So security conflicts with user productivity solely where we put those endpoint protections. There has to be a balance: do you want to put in so many restrictions that users will complain, or are there other ways that are transparent while still protecting your assets?