Security vs. Productivity

Must they always be diametrically opposed?

January 29, 2014

Security always seems to hamper productivity. So much so that some executives even refer to information technology (IT) security as the “business prevention department.”

Employees hate the extra burdens, but the need to protect your credit union from risk has never been greater.

“This is the battle that IT always has,” says former credit union IT professional Christopher Barber, now the chief technology officer at American LegalNet. “Most users want no security until their data is breached, then they want to yell at IT for not having proper security in place. You don’t need security until you need it.”

SIDEBAR:

Security and productivity frequently have goals that seem to work against each other, but they don’t have to always be diametrically opposed, says Andrew Jaquith, chief technology officer and senior vice president of cloud strategy at SilverSky—formerly Perimeter eSecurity, and a CUNA Strategic Services alliance provider.

It might take some creativity, but credit union leaders can improve productivity while keeping member information and critical processes secure.

“Most organizations think about security considerations first and then they think about how that might affect productivity,” Jaquith says. “Rarely does an organization think about how security and productivity might work together and reinforce each other.

“Security’s job is oft en to say ‘no,’ ” he says. “That can create frustration. You have to let information flow as freely as possible. But you also have to keep it out of the wrong hands and stay in compliance with regulations. That’s not easy.”

Organizations have ambitious growth plans, but they also face a growing number of high-tech and low-tech security threats. And, coming out of the recession, budgets are tight and organizations are understaffed. That makes security even more difficult.

If you’re in charge of security, says Jaquith, the key is to put yourself in your co-workers’ shoes.

Uncover the “friction points” in employees’ everyday tasks and find ways to get employees to choose the right option intuitively, Jaquith says. In other words, design work processes that prompt employees—through incentives or defaults—to choose the most secure way of performing a task.

Do everything you can to make security a side effect of normal business activities, he says.

Involve your employees

Whatever balance your credit union strikes between productivity and security, involve your employees, says Robert Reh, chief information officer for $401 million asset Nassau Financial Federal Credit Union in Westbury, N.Y.

After all, a productivity burden for employees might be a service burden for members.

“Most of what we do has an impact on providing services to our members as well as our employees,” he says.

That leads the credit union to do things like install security updates or software patches at night so as to not affect operations.

Inevitably, however, employees will face some security burdens. That’s when it’s important to engage, explain, and educate, Reh says. It can lead to better security compliance.

“Get employees involved from the beginning and make sure they understand why you’re doing something and let them have some input, if possible, on what you’re planning to do,” he says. “If for some reason it’s going to add some burden to them, at least they’ll understand the reasons why.”

Rethink passwords

Company policies that require complex and frequently changing passwords generally don’t improve security. They can, in fact, actually weaken it.

Get rid of password expirations, Jaquith suggests. Many security researchers say password aging is a massive waste of time. Requiring employees to change their passwords every 30, 60, or 90 days annoys them and encourages them to adopt less-secure practices that undercut the effectiveness of the safety measure.

“Employees will write passwords on sticky notes, reuse the same password everywhere, or make the absolute smallest change to their passwords just to comply with the policy,” Jaquith says.

Longer, more complex passwords that don’t change are more secure. They aren’t easily broken and, after employees commit them to memory, the passwords become second- nature instead of annoying hurdles.

Research also indicates that fewer passwords are better than many passwords. The more passwords you require employees to remember, the more likely it is that they’ll adopt unsafe work-arounds to “game the system,” Jaquith says.

For some basic but effective employee security software, Jaquith suggests single sign-on (SSO) technologies or integrating authentication into Microsoft ’s Active Directory.

Simplifying access for most employees will simplify processes for your IT staff . You’ll better enforce password policies and shut down threats to applications and infrastructure more quickly if a breach occurs.

Preventive measures

A simple way to improve security of valuable information is to create an enclosed environment with terminal servers. Terminal servers let users access applications and data from remote computers over a network while isolating highly sensitive information and keeping it off end points like employee laptops.

This is sometimes called the ‘glove box’ strategy because data and applications are all remote, which keeps sensitive information off of employees’ laptops, Jaquith says. The strategy is secure and doesn’t inhibit productivity.

“If you do this well and provide plenty of processing power and bandwidth to the server, employees will want to use it,” says Jaquith. “It will feel like a natural part of employees’ work flow.”

Once your system is set up, assign your data to one of three categories: unclassified, internal-only, and restricted. Don’t worry about the unclassified information, rely on managers to protect internal information. Focus your energies on the restricted data.

When trying to figure out a data set’s level of sensitivity, ask yourself if the theft of that data would mean:

Answering those questions should help you determine the sensitivity level. “It’s always good to be honest with yourself about risk levels,” Jaquith says.

Most malware infections enter your systems through employees’ use of Internet browsers, so it’s important to take steps to reduce that vulnerability.

Security managers can take precautions like preventing ads because ad networks sometimes can be infected. Another precaution is to block active content that uses active scripts such as Flash, Java, and other active plug-ins if they’re not essential to your operations.

These steps can improve system performance, reduce security problems, and eliminate a major source of annoyance. “Who doesn’t want a faster browser,” Jaquith asks. “It’s a case where there are positive incentives to practice good security measures.”

Best security practices

“The best security is ‘no load’ and ‘inescapable,’” Jaquith says, quoting computer security expert Dan Geer. No load means no burden, and inescapable means baked into software or processes.

“We’re all well-intentioned people,” Jaquith says, “but sometimes we can implement policies in a way that encourages the wrong behaviors because end users find them onerous and try to avoid them.”

To help security and productivity fit well together, Jaquith offers these general recommendations:

“The goal is to enhance security and enable business operations,” Jaquith says. “At the very least, operations should move along just as smoothly and quickly as it did before the adoption of security measures,” he says.

CRAIG SAUER is Credit Union Magazine’s assistant editor. Contact him at 608-231-4027, or @CUNACraig.