The Security and User Experience Balancing Act
As organizations increase their dependence on remote working and collaboration, end-user experience is more important than ever. User experience (UX) includes a wide range of topics, including hardware platform, operating system, applications, software integration, training, and ongoing operations and policy management. Applications now place UX front and center, a massive change from legacy systems.
However, there continues to be tension between the goal of IT risk management and excellent user experience. Security and compliance requirements invariably increase endpoint complexity, decrease performance, and detract from an employee’s ability to focus on the job at hand. And this tension is getting worse: cyber breaches are increasing, creating pressure for ever-more intrusive security.
Security Awareness Training: Problem or Solution?
Security Awareness Training (SAT) sits at the intersection of security and user experience. SAT attempts to mitigate the fact that humans are the weakest link in the security chain. SAT’s main goal is to defeat social engineering attacks by training employees to spot and report such attempts, rather than fall victim to them. This includes a particular focus on recognizing phishing attacks. Unfortunately, SAT negatively impacts user experience in several dimensions:
- TIME Initial and ongoing training consumes valuable staff time.
- STRESS SAT requires staff to act as human “security sensors”, which puts a lot of pressure on people to accurately and reliably identify attacks, which is an unrealistic expectation.
- EFFECTIVENESS Because staff are (rightfully) fearful that they may let an attacker in, they will shy away from engaging with correspondence, web properties, and new applications because they fear making a mistake.
So while SAT may be seen as a “necessary evil”, we need to consider the possibility that there’s a better way to reduce risk with less negative impact to user experience.
Advanced Threat Isolation: Better User Experience and Security
Rather than depending on humans and Security Awareness Training, a better approach is to use a technology-based, integrated solution. In this approach, the hardware, OS, and security policy enforcement work together to form a defensive environment impervious to malware. Such a solution contains endpoint attacks and prevents them from infecting the PC, or anything else on the network via lateral movement. It also provides detailed security forensics data that informs policy and control strategies. In this scenario, we do not depend on our employees to be accurate, reliable “phishing detectors” and instead leverage scalable, reliable technology. This approach has several benefits.
- BETTER USER EXPERIENCE AND PRODUCTIVITY Because employees no longer have to act as human sensors, they can better focus on their jobs. They will be more effective contributors towards digital transformation, as they won’t fear the broader ecosystem of people, technology, business interactions. And job satisfaction will increase, as staff no longer must do repetitive phishing exercises or worry about making a mistake that takes down the entire company.
- MORE EFFECTIVE SECURITY TRAINING Employee security training can be re-factored to include a broader set of topics, improving overall risk management. Areas such as data privacy regulations or social media etiquette and risk are obvious candidates, as are specific subjects relevant to the business (e.g. industrial OT security).
- ENHANCED SECURITY Hardware-enforced threat isolation of user interactions is more effective at stopping social engineering attacks than “human sensors”. Full-stack security integration provides accurate data on user interactions providing more consistent, normalized threat intelligence data that is easier to analyze and action.
HP Sure Click Enterprise: Improving User Experience Through Threat Isolation
HP’s approach to endpoint threat isolation is centered on the HP Sure Click Enterprise (SCE) solution, which places each user task in its own micro-virtual machine. This traps and isolates malware that may be trying to get in via common user actions like clicking on a link or opening an attachment. This isolation is enforced in hardware by the PC’s CPU, so malware can’t escape. And when the task is completed, the micro-VM is deleted, permanently removing the malware from the PC. HP Sure Click Enterprise is transparent to the user, provides threat intelligence to the Security team, and even works on non-HP PCs.
Summary
Cyberattacks that rely on social engineering have been commoditized, making this type of threat easy for attackers to use. State actors are retooling with Artificial Intelligence and machine learning methods, rendering legacy endpoint anti-virus ineffective. The result is a preponderance of social engineering based cyber-threats, forcing organizations to put an unrealistic responsibility on their users to avoid them. This approach has an unacceptable level of user experience degradation, and isn’t particularly
effective.
By moving to hardware-enforced threat isolation to detect and defeat social engineering attacks such as phishing, IT teams can
immediately improve user experience, increase the value of security training, and reduce risk. Leveraging the security capabilities
of the most common CPU platforms differentiates this approach from software solutions, which are always vulnerable to
compromise from a lower level of the stack. Therefore, this approach is advisable for any organization concerned about
maximizing employee engagement, flexibility and retention.
