How to keep employees happy and safe, and marry security with user experience

Zero trust has become the go-to cyber security policy in the modern enterprise, moving from a buzzword to one of the foundational principles of digital transformation – a meteoric rise in just a few short years. And for good reason, given the scale of threats that emanate from inside the business – with user error among the weakest links.

That said, there have been some teething issues and challenges with focusing on the human element. Indeed, with zero trust implemented across enterprises at pace, employees may feel they’re encountering more barriers, and that the critical applications they use may even be slowing down. For example, employees may begin to feel jaded at having to verify their identities with multi-factor authentication (MFA) every day. 

One of the fears of adopting zero trust has been a seemingly inevitable compromise on the user experience (UX) of employees across the business that comes with more controls and greater layers of protection. But does it really have to be that way?

How modern cyber defenses are evolving

“A completely secure system or network is a fallacy, at the rate at which our world is changing this is nothing but a fleeting dream,” director analyst at Gartner, Deepti Gopal, tells ITPro. “The dialogue has changed from chasing a dream of being fully secure to developing more resilient systems.”

She cites Gartner research published this year that found 67% of CEOs and senior execs want more technology work done within business functions or departments, and less in IT. “These are clear signals that we have to change the way we approach cybersecurity and focus on building resilient systems and resilient teams.”

Given the constant threat of cyber security attacks and the rich variety of attack vectors and attack types, too, it’s no wonder that businesses have needed to adapt and iterate on the cyber security procedures and policies of yesteryear. There are so many steps and measures businesses can take and much of this depends on the size and sector too. A good model for all to follow, however, is the National Institute of Standards and Technology (NIST), which is working on the second edition of its cyber security framework.

The draft standards include provisions that focus on protecting critical infrastructure as well as highlighting the importance of senior leadership in a business’ security strategy. In this vein, the five staple pillars of the framework – identify, protect, detect, respond, and recover – are also joined by a sixth pillar: govern. 

When considering these pillars, there are multiple individual constituent steps that businesses can take. Some of these include MFA, as previously mentioned, but also network micro-segmentation, strong authentication, single sign-on (SSO), and others. All of these fall under the umbrella of zero trust, but need to be applied in conjunction with the idea that no user or endpoint is to be implicitly trusted. 

Enterprises can take it one step further and consider trusted access, which incorporates user verification, endpoint health, and endpoint security. There’s also least-privilege access, which is designed to ensure businesses only grant users the appropriate level of access to files and systems to do their jobs – and nothing more. While that may sound like common sense, it’s a delicate balancing act as the level of access dynamically shifts with time. No matter the route you choose, the direction of travel is clear. But that also means potentially more hurdles for users who just want access to the tools to get their work done.

Why zero trust implementation may hamper UX

When taking such a hardline, but necessary, approach to cyber security, there will inevitably be a knock-on effect. One risk is excessive disruption, according to Nord Layer, which manifests as access problems for workforces and managers. Employees may, for example, encounter errors while accessing their user accounts or logging into systems. Privileges may not be assigned correctly and could require IT tickets to resolve. 

Many zero trust strategies also fail because they fail to focus on the end user. It may well be that presenting new hoops for them to jump through, without signposting what they should expect or giving the appropriate training, could lead to apathy and resentment for the changes. After all, greater barriers are likely to lead to more frustration and, eventually, non-compliance, if they’re left unaddressed. In a similar vein, you can’t just assume everybody will buy into zero trust just because it’s the gold standard and the c-suite feels it’s the best step to protecting the business.

Another possible challenge is the fact zero trust may slow down application performance. “Zero trust services naturally come at a disadvantage when it comes to performance: they automatically add an additional network hop between users and the services they’re trying to access,” writes Cloudflare product manager for network and availability.

“That’s because there’s a forward proxy site between the user and the public Internet to filter and protect traffic. This means that the zero trust service needs to maintain connectivity with end-user ISPs, maintain connectivity with cloud providers, and transit networks that connect services that send and receive most public Internet traffic.” 

How to guarantee a streamlined employee UX 

There’s no good in implementing technical controls, says Dr Ilia Kolochenko, a cyber security and cyber law expert and CEO of ImmuniWeb, without adequate training. “Technical controls will bring more harm than good if implemented without proper education of end users. 

“Users deserve friendly training that would convincingly explain why all these security controls – that most users may reasonably perceive rather as a hindrance – are really needed to protect their company, their colleagues, and even themselves.”

He says once they accept that such controls are needed, even more training is needed to convey how to use them efficiently. Some businesses, he warns, may be tempted to impose technocratic training – but it really pays to offer some kind of reward for engagement, such as company-wide recognition in some way.

“Security awareness is a continuous process, not an ad-hoc exercise,” he continues.” Therefore, companies really need to regularly conduct training and drills, and even organize year-long competitions, for instance, the person who spots the highest number of phishing emails will get a valuable prize, while other top 10 reporters will get some financial bonuses.

The best approach is to understand the needs of end users, he concludes, and to make sure all their requirements to use digital equipment are met. “And then,” he adds, “implement full automation for everything, while making sure that security controls cannot be bypassed or at least such attempts are detected and contained in a timely manner.”