5 ways users circumvent security measures and how to prevent it

Workers usually choose convenience over security, especially if you force them to jump through too many hoops. But there are steps you can take to shift the balance back in security's favor.

As a cybersecurity expert, Richard White supports locking down sensitive data to keep it out of the wrong hands. On the other hand, he says, companies go overboard with restrictions.

Those excessive restrictions can be self-defeating if they lock out workers, too, making it hard if not nearly impossible to do their jobs efficiently. So, they find workarounds. It’s a scenario that slows productivity and, ironically, puts the data itself in jeopardy.

White points to a specific incident he witnessed at one office: A worker took a photo of protected information on his computer screen so he could take it with him to finish a job. “If security measures are overly complex, the first thing users are going to do is look for a way around them, and then the security measures completely fail. It’s imperative that cybersecurity professionals really take a look and tailor their policies and procedures and technology based on what the actual security risks are. It has to be a justifiable mix of rational security measures and what the users are trying to accomplish,” says White, author of Cybercrime: The Madness Behind the Methods and managing director of Oxford Solutions.

Cybersecurity teams don’t need to overhaul their operations to achieve a better balance of security measures and usability, White and other experts say. They can instead start by addressing several common areas where workers tend to sacrifice security for productivity.

Complex password requirements

Passwords are a security staple, yet security officials say organizations have created such complex password policies that they’ve shed their protective powers and instead have become vulnerabilities. These policies often require workers to have overly long passwords with too many required features (e.g., upper- and lowercase letters, numbers and symbols along with a minimum number of characters). These policies also often require workers to change them at least every several months.

As a result, workers write them down or, perhaps even worse, store them in a computer file in order to remember them. White says he worked with one company that had suffered an external hack, which was traced back to a worker with administrative-level credentials who had stored his passwords in an electronic file. Although it’s unclear what role the stored passwords played in the case, White says it certainly highlights the problem.

Of course, White and other security professionals say, passwords still have their place. They recommend organizations be smarter with their password policies and limit the complex requirements to more reasonable levels.

To continue reading this article register now

The 10 most powerful cybersecurity companies