Restoring user freedom in the security-first enterprise

As organizations step up their game to address new threats, there is one key stakeholder who often goes unnoticed: the end user

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

It's been a busy year in the cyber security arena so far, and it doesn't look like the pace will be slowing down. From hacking schemes like Heartbleed to significant data breaches at P.F. Chang's and the Montana Health Department, criminals are stepping up their game. But as organizations adapt their security strategies in kind, there is one key stakeholder who often goes unnoticed: the end user.

Most of the next-generation attacks we see today have external origins, however they are often exacerbated by people within the organization, particularly users with administrative privileges. This is because once malware makes its way to endpoints it doesn't just seek admin privileges, it requires them to embed itself in IT systems and propagate across machines, causing destruction over the entire organization.

While full removal of admin rights seems to be the obvious solution, it introduces significant implications for end user productivity. Users often require admin rights to do their jobs, even for the simplest tasks, like downloading software or connecting to a printer. For IT organizations in particular, restricting admin rights presents users with a major roadblock to effectively (and happily) completing their tasks.

So, organizations are faced with a seemingly impossible trade off: should security be optimized at the expense of the user?

Let's say that security is top priority, as it is for most enterprises, and the organization decides to restrict admin privileges on their systems. Getting pushback from frustrated users is to be expected, but it also impacts the IT department. When users' rights are removed and they're forced to go through formal processes for application or software downloads, it places greater burden on the help desk, which then has to deal with explaining these processes and supporting the users throughout. Adding to this is the financial burden of those unnecessary service desk visits.

Organizations should strive to find a middle ground, a way to administer control over their systems, while at the same time providing users with flexibility in their roles, and a positive working experience for everyone involved. Let's look at a couple ways this can be achieved.

Least privilege management

Instead of full removal, a least privilege environment can be established where users' rights to download applications or make changes to corporate machines are limited to those necessary for the scope of their job. This means that privileges are assigned to applications instead of users, and elevated only when needed. With least privilege, employees can log into systems as a standard user instead of an admin user, which prevents attackers from gaining access to privileged accounts and makes it more difficult for malware to take control.

This not only yields security improvements, it also drives user empowerment by giving employees the freedom to install applications and manage application updates as needed. At the same time, IT should see a reduction in service requests and incidents, freeing up resources to allocate to bigger, more strategic projects.

A least privilege environment will be especially empowering for tech-savvy Gen-Yers, those that have grown up in the Internet era and are accustomed to (and even expecting) access to what they want, when they want. By providing them with autonomy over how they manage their systems, organizations will be better able to embrace and cater to this new breed of user.

Personalized Messaging

A big part of user empowerment is making users especially those who might be less informed than the resident techies feel as though they're tuned into IT's processes, providing them with education around the limitations of their downloads and what next steps might be required.

User Account Controls (UAC) are a standard pop-up feature on most Windows machines that were traditionally responsible for doing just this. But fixed-messages filled with technical jargon do more harm than good, especially when it results in repeated calls from confused users to the IT help desk or worst still, the user clicking continue to a piece to malware.

By thinking from a user's perspective about how those messages are presented, organizations can create more customized messaging that feels truly human, rather than an automated response. These messages might offer, for instance, multi-lingual support and corporate branding. And with localization, reasoning and help desk integration, all in terms that are easy to understand, users are not only provided with a better sense of what they need to do next, but a heightened user experience.

At the heart of any organization is its employees. To attract and retain talent means organizations must transform their working environment to reflect a user-first mentality, rather than one that is IT-led. By taking a more flexible approach to privileges, organizations can harness the abilities of their more tech-savvy employees that demand greater access and power.

And with a more personalized approach to their messaging, they can improve end user education among their less technical workforce. Perhaps most important is that neither of these methods have to come at the expense of security in fact, they enhance it in the best way possible, by transforming its practice into a more productive, positive, and empowering experience.


Join the CSO newsletter!

Error: Please check your email address.

Tags Priveleged Access Managementsecurity

More about UAC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andrew Avanessian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts