Martin McGregor

The role of UX in cyber security

Ensuring the security of digital infrastructure and data is a basic responsibility of IT. 

But, what about enabling a good end user experience (UX)? 

There's a misconception that robust device security and optimal user experience are incompatible. For employees, stringent security measures are seen as a hindrance to productivity. On the other hand, prioritising device usability and convenience can compromise security. 

Because of this, IT tend to prioritise security over end user experience, but this perspective must change. 

Security is a byproduct of caring for your employees' needs and their device-based experiences. 

If businesses underestimate the intertwined nature of UX and device security, they're at a disadvantage. It's time to recognise UX is not an obstacle to security but a prerequisite for it. 

A shift in mindset and approach is needed to achieve a positive UX that underpins device security.  

Change the legacy culture of helpdesk and employee interactions 

Before IT can focus on achieving good UX to underpin device security, there needs to be a change in attitudes.  

Reflecting on my early career days, I recall a prevalent culture in helpdesk teams belittling end users for their seemingly trivial tech problems.  

The notion that end users should have expert-level knowledge about technology is completely flawed. Just as we don't expect patients to diagnose their illnesses or mechanics to perform brain surgery, IT should not expect end users to be security or technology experts.  

It's important to remember the role of IT extends far beyond managing technology. It's about serving the people who rely on that technology.  

The first step towards fostering optimal UX is acknowledging that end users are experts in their respective domains. They shouldn't bear the responsibility of understanding the complexities of cyber security or device management. This shift empowers the development of a resilient security culture. 

Transforming end users from weak links to defensive assets 

In safeguarding an organisation against cybercrime, end users are often viewed as the weakest link.  

While human error is still very much the predominant catalyst for many cyber incidents, end users are the last piece of the puzzle. Other components must fail before they become part of the equation.  

Attributing undue blame to users overlooks the broader systemic issues that allow cyber threats to manifest.  

Shifting from the perspective of end users as potential liabilities to considering them as integral components of your defence strategy is paramount. Encouraging end users to report and seek help for suspicious activities and educating them about cyber threats equips them to be proactive defenders of organisational security.  

For your end users to report suspicious activity, they first need to understand what a secure digital environment looks like. This means making sure each user has a reliable, consistent and positive device experience through a SaaS-based SOE (Standard Operating Environment). A robust security posture is established through the seamless integration of user-centric security measures. 

User-centric design for enhanced security 

When employees have a seamless experience with their devices, they're less likely to engage in risky behaviours that compromise security. They are also more inclined to report suspicious behaviour.  

User-centric design puts the needs and preferences of end users at the forefront of the security design process.  

Empathy and understanding are the keystones of this approach. 

Achieving secure and user-friendly policies and workflows is a deliberate process that demands meticulous attention. It requires IT to actively involve all stakeholders from the outset of the design process. This involves understanding user requirements and roles, conducting usability tests and continuously refining the design based on user feedback. 

Examples of user-centric design practices: 

  • Two-factor authentication with user-friendly interfaces: Two-factor authentication (2FA) provides an added layer of security. User-centric design ensures 2FA interfaces are intuitive, straightforward, and well-integrated, making the authentication process smoother without compromising security. 

  • Simplified authentication mechanisms: Implementing biometric authentication, such as fingerprint or facial recognition, can remove the need for complex passwords and enhance security while supporting a seamless user experience. 

  • Automated workflows: Automating IT tasks, such as patching operating system and updating applications, eliminates the necessity for manual intervention by either IT or end users. This enhances the performance and reliability of the device, facilitating uninterrupted work for users. 

Strategically manage administrative privileges 

The need for an employee to have admin privileges could indicate a lapse in IT performance. Users shouldn't need such elevated access if their systems are operating optimally and they have access to everything they need.  

Strategically managing administrative privileges is essential for UX and enhanced security. 

While some argue unrestricted access compromises productivity, giving all users admin privileges compromises the security of the organisation. 

Managing admin privileges requires a pragmatic approach that respects diverse user roles.  

Streamlining software deployment is an effective way to reduce the unnecessary use of admin privilege. By pre-installing essential applications tailored to individual roles, you can reduce the need for users to install and manage software, thereby mitigating potential security risks. 

If employees have all the necessary resources on their devices and IT can deploy patches and update applications remotely and/or automatically, the requirement for admin privileges becomes unnecessary.  

Create consistency with a Standard Operating Environment 

A Standard Operating Environment (SOE) drives the balance between flexibility and consistency—two factors that underpin good UX. 

A well-defined SOE ensures employees have access to necessary tools while maintaining a standardised software landscape. This approach fosters better collaboration and reduces the attack surface by keeping applications up-to-date and compatible. Implementing application allow-listing also becomes more manageable, as a clear understanding of authorised software streamlines security controls. 

It's worth recognising an employee's initial experience with technology significantly influences their perception of the organisation. Business and IT leaders should prioritise this experience. In today's remote work environment, a smooth and efficient device experience becomes an essential part of employee engagement.  

Forging a unified front against cyber threats 

As IT and cyber security professionals, we must not lose sight of the powerful influence of user experience. Particularly as we pursue and implement modern security measures. 

By fostering a culture that values the needs and concerns of end users, we are not only enhancing device functionality but also building a resilient line of defence against cyber attacks. 

In today's digital landscape, where every individual owns the power to impact security, prioritising user-centric practices becomes the bridge that transforms end users from the perceived weakest link into an essential asset in our united defence against cyber threats.  

Join our newsletter for our latest updates and insights
Martin McGregor

Security versus productivity: The dilemma

Discover what balancing the needs of enterprise security and organisational productivity looks like in a rapidly evolving workplace. This is the CISO dilemma.

Martin McGregor

The smart way to manage apps on employee devices

Manually managing apps on endpoints at scale is complex and time-consuming. Discover the smarter way to manage apps on end-user devices.

Martin McGregor

Meeting security challenges in the remote workplace

As we enter the post-pandemic world, it’s time to address how to meet security challenges in our new remote workplace.