Access management should be higher on your security agenda than preventing viruses or shoring up the defences you have around your network perimeter. The reason for its importance is simple — time. When a virus gets into your system, your anti-virus will (hopefully) flag it quickly, so you can take swift action to safeguard your data. But if a criminal steals a legitimate employee’s login details and starts snooping around your systems, without the right access management tools in place, you could go weeks without knowing about it (unless an on-the-ball IT admin spots anything suspicious), by which time you may have faced substantial damage.
Are you sure at all times that anybody accessing your systems is exactly who they say they are? In our experience at IS Decisions, we’ve seen so many of our clients fall down in the same areas where access management software is concerned. So to help you, we have put together the top-five most common mistakes when it comes to managing access across your networks:
- Taking too much time to manage it
Now, this may not seem like a huge mistake at first, but our research has found that the amount of time managing the software takes is one of the biggest barriers to adopting the technology in the first place. Of the 250 US companies we recently surveyed , 18% believe that ‘time to manage and oversee’ is the biggest barrier to adoption. Spending too much time managing the software has serious productivity implications, which means that the total cost of ownership for the tool is often much higher than you would initially think. If you can, trial the product first to ensure that it’s the right choice for you.
2. Forcing users to jump through hoops
Many access management tools use multi-factor authentication (MFA) as its basis. While MFA is undoubtedly a secure way to protect your systems, it’s also enormously time-consuming to identify users that it ends up impeding the end user and their productivity. IS Decisions research found that US employees waste 21.88 minutes every week because of complex IT security, which equates to 182 days a year for a firm of 250 employees and 21.9 days a year for firms with 30 employees. Organizations are, however, aware of the problem — 47% believe that complex IT security measures in place within their organization negatively impacts employee productivity. Why not investigate alternatives to MFA, for example context-aware security, that are equally secure but do not impede the end user?
3. Not monitoring the right things
To become more confident that those logging in are who they say they are, you need to build a profile of that person, but IS Decisions research shows that US organizations aren’t assessing the right aspects. Nearly half (43%) don’t monitor sudden changes to working hours, 42% don’t monitor impossible ‘journeys’ like sequential logins from two vastly apart locations, only 77% monitor mass file access or deletions, and 41% don’t monitor password resets. In fact, 2% of companies do absolutely nothing! If you can monitor each of these different aspects, however, the system will raise red flags if a password is being used by a cybercriminal attempting to gain access.
4. Not educating or empowering employees
While users are often the weakest link in any network security, they can also be the solution if you empower them in the right way. Education is key, but nearly a third (30%) of organizations do not train their employees on information security, so you can hardly blame employees for clicking on phishing links and inadvertently handing over access to a third party. Once you’ve put an education programme in place, follow that up by ensuring that your access management software can automatically send an alert to an employee when it suspects their password has fallen into the wrong hands. Warning employees will prompt them to change their password quickly to mitigate any damage.
5. Prioritising convenience over security
When we asked if their organization prioritises convenience over security, 30% said ‘yes’, which begs the question: what is the point of having security in the first place if you’re not going to use it? Traditionally, security has come at the expense of productivity because enhancing security involves additional steps to authenticate a user, which inherently takes more time. Select a software solution that does not force you to choose between security and convenience.
These five issues are problems that many of our clients face in today’s cybersecurity world. Our approach to solving them is to use context-aware security, which I mentioned earlier. This approach takes advantage of supplemental information to decide whether access is genuine or not at the exact moment when someone attempts to connect. Using admin-set rules that are based on this supplemental information, the system can automatically grant or deny access.
For example, you can set rules restricting an individual’s network access to certain workstations located in particular departments on your office premises. Or you could set up rules restricting access to certain connection types (IIS, Wi-Fi, VPN) so employees can continue to work on the go, or even restrict access to particular times of day, location or by a maximum number of concurrent sessions. Restricting access in this way monitors the right aspects of security, doesn’t take much time to manage, doesn’t force users to jump through hoops all the time, empowers those employees to make the right security choices and doesn’t force you to choose between security and convenience. It’s a win-win scenario.
Latest posts by UserLock (see all)
- 5 Common Mistakes Companies Make with Access Management Software - September 26, 2016