• United States



UK Editor

Accessibility should be a cybersecurity priority, says UK NCSC

News Analysis
May 19, 20236 mins
CSO and CISORisk Management

Cybersecurity training, controls, and requirements that are inaccessible, especially to those with disabilities, can make businesses less secure and more vulnerable to risky behaviour.

The UK National Cyber Security Centre (NCSC) has urged businesses and security leaders to make accessibility a cybersecurity priority to help make systems more secure and human errors/workarounds less likely. It can also aid in meeting legal requirements, delivering better operational outcomes, and attracting and retaining more diverse talent, according to the NCSC.

However, there are various examples of cybersecurity being presented in a way that is inaccessible for a lot of people, particularly for those with disabilities, the NCSC wrote in a new post on its website. This has negative effects on both businesses and employees, including making systems less secure, hindering security awareness, and limiting access to diverse skills.

It is therefore key for businesses and security leaders to recognise and respond to the need to consider accessibility as a security requirement that can help organisations get on top of their human cyber risk while cultivating a more inclusive culture and allowing themselves to make the most of a more diverse talent pool.

Factors that make cybersecurity inaccessible

Cybersecurity can often be inaccessible in a number of ways, read the post. These include:

  • Awareness campaigns, training, or security policies that are not in accessible formats or written in simple, accessible language leave people lacking the knowledge they need of how to do their jobs securely.
  • Complicated interfaces, mislabelled buttons, ambiguous link text, or audio-only/visual-only warnings make human errors more likely.
  • Colour schemes of “red for high risk” and “green for safe” that may be inappropriate for people with colour blindness.
  • A lack of accessible feedback or error messaging when completing a configuration change may lead to falsely presuming you have implemented a security control when you haven’t.
  • Security that removes accessibility functionality might leave people needing to adopt a less-secure workaround or avoiding doing their job entirely.
  • Concerns about breaking compatibility with assistive technology or altering coping strategies might prevent users updating systems.
  • If accessible ways to recover from errors or access support are not present, then what could have been a “near miss” can quickly turn into a serious incident.

Designing security for people with disabilities increases usability

“Everyone benefits when systems are deployed where accessibility is built-in,” the NCSC said. However, people can experience diverse barriers that affect how they access information – some permanent, temporary, and situational. “In all cases, designing for people with disabilities makes things more usable for everyone. We all experience limitations based on our environment that mean that security doesn’t work for us in the way it was designed to. If that security has been designed with accessibility in mind, it will be more resilient to work as it’s really done, and less likely to fail.”

What’s more, security training is not a silver bullet, the NCSC said. “When people behave insecurely, the temptation is to treat them like we treat technology. We “patch” them by sending them on a training course, in the hope that this will fix the “vulnerability” in the system.” Training is only effective when the problem is a lack of knowledge, but if the problem is a lack of accessibility, training isn’t the answer. “People will bypass security to do their jobs if you make them. The security itself needs to be made more accessible.”

How to make cybersecurity more accessible

Companies can do three key things to help make cybersecurity more accessible, according to the NCSC. These focus on engagement, flexibility, and making accessibility a requirement rather than a separate issue.

“The best way to make security more accessible is to engage with the people who interact with it. Consult your colleagues in your security decision making processes and encourage feedback. Test new systems and processes with people with accessibility needs to discover where issues might exist.”

If colleagues need access to specific functionality or technology that might otherwise break security policies, work with them to understand their needs and manage the risks, the NCSC said. Where it isn’t appropriate to change a whole policy, have a process to enable people to raise issues. “Working collaboratively to make sensible exemptions and managing any associated risk is better than forcing people to avoid security or suffering through not being comfortable enough to raise a concern.”

Businesses do not need to dilute their security requirements to achieve accessibility, but they should be open to different ways of realising these requirements. “For example, imagine you’ve identified an asset that requires multifactor authentication (MFA). There is no “universally accessible” MFA method. One person’s preferred method might be a barrier for another. The key here is to offer enough flexibility that people can select an approach that works for them and their needs.”

Providing this flexibility has a secondary benefit in that in improves the resilience of systems, because if one method of authentication were to fail, an alternative method can provide a backup to minimise business loss, according to the post.

Lastly, treating usability and accessibility alongside other security requirements rather than a separate thing is useful to ensure it gets considered, the NCSC said. “Take time to consider which actions would have the largest impact if they were carried out insecurely or avoided, and then test the accessibility of these.”

Conduct due diligence by asking vendors or suppliers for an accessibility statement for their products, or build in a requirement for a certain level of compliance against a framework or standard such as the Web Content Accessibility Guidelines (WCAG), the NCSC advised.

NCSC’s cybersecurity accessibility advice a “great starting point”

The NCSC’s cybersecurity accessibility advice is solid and organisations of all sizes should consider implementing it, not just for those with disabilities but to help everyone in the workplace, especially when it comes to security awareness training, Lisa Ventura, founder of Cyber Security Unity, a diversity and inclusion advisor, tells CSO. “There is no one size fits all approach when it comes to cybersecurity, and as the article from the NCSC states, everyone will benefit when systems are deployed with accessibility built-in.” The example the NCSC has provided of catering to three colleagues where one is deaf, one has an ear infection, and one is working in a noisy environment without access to headphones highlights the importance of catering to everyone’s specific needs, she adds. “By focusing on meeting the accessibility needs of a deaf colleague, solutions will work and fit better for everyone.”

Accessibility should be at the heart of everything all organisations do to be as inclusive as possible, Ventura says. “If you have security measures in your organisation that aren’t accessible, your systems will be much harder for everyone to use. The advice provided is a great starting point and I hope to see it implemented by organisations, no matter their size.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author