Security managers must put usability first

Complex access controls and the extended enterprise can create new problems

IT security bosses need to think more about users when rolling out security systems, according to experts at the Gartner IT Security Summit this week.

Presenting the opening keynote, research vice-president Ant Allan said that if it is too complicated for users to remember how to use a security system, or the system inhibits their work, they will “find a way around it”, which will probably weaken safeguards.

“Investing in technology that makes security transparent to users or that gives them something back gives them a greater incentive to be secure,” he argued. “Awareness-training…won’t address all the risks.”

As an example, Allan said that if firms ask users to remember many longer, and therefore more secure passwords, users would probably write them down. But if firms introduce single sign-on technology, users would only have to remember one password, which is more manageable because it enables access to all their systems.

Allan added that because of the way firms now do business, partners, various parts of the supply chain and other people may all require access over multiple systems.

Recent research by managed security specialist Cybertrust found that a third of companies had faced a security problem caused by partners, due to a third-party taking over some of their business processes and being granted network access.

According to Cybertrust’s product manager, Jen Mack, one problem is that most firms do not have any way to assess the risk profile of their outsourcing providers or other business partners. Such assessments could help firms decide who to do business with, and help them provide third parties with security criteria they must meet, she added.

“[Problems range from] not keeping patches up to date to unauthorised network access and data theft,” said Mack. “[Third parties could be] business partners, suppliers or vendors: anyone with access to a firm’s information – the extended enterprise is a fact of life for business in this day and age.”