Enterprises around the world are facing increasingly more security issues day by day. As a result organizations are considering to improve their security measures. One of the fundamental part of security is to provide ‘Availability’ which ensures reliability and timely access to data and resources to authorized individuals. Necessary protection mechanisms must be in place to protect against inside and outside threats that effect the availability of data and productivity of user.
It sounds to be easy to accomplish than in reality. Providing a balance between security and user productivity is a critical task for security professionals. The end users may not be aware of that following various security measures by the organization is necessary to prevent serious data breaches. The more compliant an organization is, the stronger is its IT security. But on the other hand it will automatically decrease the user productivity. Keeping a balance between security and user productivity is a challenge of all the times.
One way of achieving this is to provide least privileges to users in other words allow access to users only to what they need to do. It seems to be true in providing better solution but it may result to less productivity and frustrated employees. For example if employee is missing access to any resource, in this case according to organization’s security policy it may take days to provide the access which may lead to missing the deadlines.
In this case the frustrated employee may try to choose other alternatives to avoid the security because his/her goal is always to meet the deadlines. Another example is password management. If the security policy forces employees to change their passwords frequently they may end up keeping a sticky note on their PC to remember it, which leads to a security breach. If they forgot their passwords they will be ending up calling helpdesk to reset their passwords leading to decrease in user productivity.
The main idea here is to keep a good balance between security and user productivity. One should not affect other. As a security professional one should not blindly follow the industry best practices instead one should think twice before enforcing any security policy according to organization needs. Think about whom the policy will effect, what extent it will effect and how it will affect the end user.