Security Without Friction
It’s not uncommon for organizations to deprioritize security as it’s a cost center and is typically associated with negative effects on productivity. Many organizations equate security measures with increasing friction and frustrating work-arounds — resulting in Sisyphean uphill battles to introduce or change security measures. Just as no one likes TSA lines, no business wants to put operations at the mercy of security to the point of impacting productivity.
So, is security without friction possible? Are organizations doomed to forever choose between security and productivity?
Here’s what we’ll cover in this blog post:
- How Much of a Priority is Cybersecurity?
- How to Make Security Align With the Organization’s Interests?
How Much of a Priority is Cybersecurity?
In the beginning, the Internet was created. This has made a lot of hackers very rich and been widely regarded by IT security professionals as a bad move.
Prioritization is all about value, and how valuable security is depends on how much you have at stake. IBM’s Cost of a Data Breach Report 2021 offers this cost breakdown for organizations that have a data breach:
Data breaches have reached the highest average cost this year at $4.24 million USD. As ransomware attacks also increased in frequency by 151% for the first 6 months of 2021, all companies — large or small — are finding themselves a target of cybercrime. The industry has arrived at the point where insurance companies are starting to offer cybersecurity insurance.
Cyber insurance is important to the financial well-being and future of your small business. A single claim can be costly and difficult to overcome on your own. Cyber security insurance helps reduce the potentially devastating effects of a claim. It can cover costs related to IT forensics investigation, data restoration, legal liability and customer notification.
Source: Progressive Commercial
At time of writing, insurance is roughly $1,500 a year based on a liability limit of $1 million with a $10,000 deductible, so depending on your business’ needs this can be quite costly. When you consider that the insurance premiums will be costlier if your organization has bad security hygiene, ensuring that the organization starts with a tight stance on security starts to make sense.
Yet even the best insurance policy only mitigates the business impact — it doesn’t address the underlying aspects that led to your organization suffering from cyberattacks. Insurance is not an alternative to poor security. Much like a health insurance policy, it exists to protect an insured organization from catastrophic loss. If you find your organization is using that insurance policy, the problem might be more deep-rooted than you think.
Security Breaches Are Expensive in Multiple Ways
Security breaches are just costly: the cleanup is messy, embarrassing for the brand, and customers churn. Additionally, there’s also the lingering shadow of doubt that bad actors installed a backdoor while they were in your system. For many organizations it is a more economical solution to invest in cybersecurity measures than to ignore them. To understand how much financial impact there is, let’s look at a quick breakdown of the costs provided by IBM.
“Lost business continued to represent the largest share of data breach costs for the seventh year in a row. Of the four cost categories, at an average total cost of $1.59 million, lost business accounted for 38% of the average total cost of a data breach. Lost business costs include:
– business disruption and revenue losses from system downtime,
– cost of lost customers and acquiring new customers,
– reputation losses and diminished goodwill.
The second most costly [category] was detection and escalation costs, which had an average total cost of $1.24 million, or 29% of the total cost. The other cost categories are notification and post data breach response.”IBM’s Cost of a Data Breach 2021
And those are just the tangible costs. Intangible costs can include anything from stock price losses to the opportunity costs of replacing lost business.
Once you’ve experienced a data breach, how are you going to convince customers that their data is safe with you going forward?
Finally, the organization now needs to overcompensate on security to prove to internal and external stakeholders that a breach won’t happen again, which results in increased friction — the very productivity-killer the organization was hoping to avoid.
And that business cost makes up just 38% of the overall average cost of a breach, which is rising every year. IBM’s report leaves no room for doubt about IBM’s position on a mature security posture:
Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.
But once again, decision-makers are usually measured by productivity and growth. When security measures start to impact productivity for either management or end-users, it is security that will be circumvented at the first opportunity. This disregard for upholding cybersecurity best practices increases the likelihood that the organization will eventually pay the bills. In the worst case scenario, security practices will be ignored entirely, offering bad actors their windows of opportunity. You never want a security system that your users themselves want to overcome.
How then, can organizations retain cybersecurity best practices without impacting their operations?
How to Make Security Align With the Organization’s Interests?
Security measures should work in concert with user behavior instead of forcing end-users to work around security. By shifting security away from impacting productivity, organizations can secure their cake and eat it too.
Achieving this doesn’t necessarily involve redesigning the organization with a different architectural workflow. Security can be enabled more simply by tooling that directly improves productivity by securing existing infrastructure and enabling remote work to be secure. The ideal solution future-proofs the organization’s operations against unforeseen real-world impacts (such as a global pandemic), ultimately improving the operating capabilities of a business.
Security should go with user workflow, not against it.
First, let’s take a look at what users want with regards to accessing your organization’s internal infrastructure:
- Work from anywhere — Good security tools make your business more resilient to unexpected events like global pandemics, allowing operations to continue unimpeded by security concerns.
- Ease-of-adoption — Users are resistant to changing their accustomed work patterns, so implement nonintrusive security that works with existing job flows.
- Speed — No VPN to do backhauling or split tunneling and experience connection drops.
- Self-sufficiency — Users should be able to get access without jumping through hoops or waiting to submit a ticket to whomever is in charge of granting access privileges.
And let’s take a look at what the organization wants:
- Provisioned access to internal and external teams — Enable internal developers to self-manage so they can focus on business application needs, not reinventing authentication and authorization.
- Support for any platform and adds access control to any application — No organization wants to risk extended operation downtime to implement a new system, so why not have a system that works on what you already have, including legacy applications?
- Improved security model — Every request for access is repeatedly validated for appropriate user identity, device state, and context without impacting the user.
- Unified access and authorization policy — Any system should work at scale, cybersecurity included.
What the users and organization both want aren’t mutually exclusive goals and desires. Users can be productive in their roles without being burdened by the organization’s need for secure access. This state — security without friction — is an achievable and desirable end-goal for organizations of all sizes.
Check out this post on building a culture of cybersecurity awareness in organizations.
Because organizations traditionally think “We would like to implement better cybersecurity measures but the cost of transition and implementation are cumbersome,” that’s where a tool like Pomerium comes in.
How Pomerium Helps Organizations Stay Secure
Pomerium is an open-source platform for managing secure, identity aware access to applications and services. Organizations can easily deploy Pomerium with their existing infrastructure to adopt a secure, identity-driven access to their internal services. IT management teams can easily use Pomerium to provision access and ensure security for all users without sacrificing productivity. Context-aware access is increasingly necessary as the workforce shifts to remote-work and organizations open their internal infrastructure up to the dangers of the internet.