Employees That Circumvent Access Introduce Risk
We are not a patient society, and we are made less patient as technology continues to evolve. Productive business operations thrive on faster internet connections, faster computers, faster applications and so on. What isn’t fast is cybersecurity. The steps and solutions required to ensure users, networks and data remain safe add time to processes, and that makes them inconvenient.
This extra time isn’t insignificant. According to a study from StrongDM that examined worker productivity and security, 73% of respondents said it takes 15 minutes or more to gain access to the infrastructure, and just over half of the 600 DevOps professionals surveyed said they missed deadlines due to that lack of access.
“Access controls often limit an employee’s ability to get their job done, especially when their tasks involve novel activities that go beyond the scope of their predefined roles,” explained Sounil Yu, CISO at JupiterOne.
These limits lead employees to search for the path of least resistance, and that leads to a higher risk of a data breach.
Frustration with Access Rules
When employees bypass an organization’s access controls, it is rarely done out of malice. It’s often because access systems are difficult to use and create friction for the user, according to Darren Guccione, CEO and co-founder at Keeper Security. Too many systems are based on rules and roles rather than adaptive to user needs and changing situations.
Plus, users want to have full control, something that shifted during the pandemic. According to research by Cerby, 92% of users want full control over the applications needed for work, and interpret not having full access to that application as a lack of trust. “This COVID-fueled direction under urgency to ‘make it work’ has become an entrenched part of the new world of work—and employees and managers alike want to continue with this new approach,” the Cerby report stated.
If it isn’t easy to use or doesn’t offer levels of access the user wants or thinks they need, they’ll bypass the security systems put in place, and that creates additional risk.
“It is imperative that cybersecurity software companies create products that unify ease-of-use and security,” Guccione said in an email interview. “Making elegant cybersecurity products for end users radically increases adoption and, accordingly, improves an organization’s cybersecurity defenses.”
Using IAM Solutions to Reduce Risk
When it comes to controlling access, the least-privilege principle is easy to apply, especially when one also practices the principle of least functionality. This involves defining narrowly scoped roles for job functions, said Yu, in an email interview.
“This approach generally works for employees with low-skill jobs, but for employees with high-skill jobs, we often give them more autonomy to gain new skills and be innovative,” Yu explained. “These are the employees that often find themselves circumventing access controls because they are just trying to get their job done.”
When least-privilege doesn’t work, an IAM solution should keep users on the path to following access controls.
“IAM is the nucleus and most critical component of any cybersecurity technology stack,” said Guccione. “Properly implemented, employees will be relegated to authenticate via the IAM solution adopted by the organization.”
When IT admins roll out an IAM solution, Guccione added, it’s important for them to cover all the major use cases such as SAML-based apps, password-based applications and access to infrastructure.
“If they don’t cover all their bases, users will circumvent the process,” Guccione stated.