If security is a barrier rather than an enabler, something has failed
It only takes one high-profile data breach, or a sobering personal experience of ID theft, for users to lose confidence and become more cautious in engaging with brands and services online. Which is the last thing companies want when they have devoted huge investment to their digital channels.
Digital transformation and mobile enablement top the agenda at almost every organization now. But how easy is it for companies to keep rolling out new and innovative services – making it easier for customers and employees to access information, complete tasks and receive more personalized attention – if security is a sticking point?
It’s in everyone’s interests that users are productive, engaged and satisfied – able to take full advantage of what digital technology makes possible, wherever they are and whatever device they are using. But then another big breach hits the headlines – another Target, eBay/PayPal, TalkTalk or JPMorgan Chase – and users get nervous. Who is ‘listening’ online, who is intercepting data as it pings back and forth between customers, suppliers, and ecosystem partners, and how robust are passwords and authentication and encryption processes?
It’s a fine balance: keeping users and data safe, yet without making them jump through so many hoops, and remember so many complex passwords, that they give up because the whole thing has become too onerous.
It’s a real conundrum for companies,” says Mike Turner, VP of Capgemini’s global cybersecurity portfolio. “If employees or customers can’t access services easily or do what they need to do on the move, they’ll go to someone else.”
Professor Alistair Irons, professor of computer science and an expert on cyber forensics and cybersecurity at the University of Sunderland, agrees. “Usually, the more security there is, the less usable something becomes.” For example if the user has to use a special device, or create a complex new password every few weeks. “Of course that’s nothing compared to the implications of a breach, but it’s a barrier,” he notes.
With the continuing proliferation of devices, people’s digital footprints are getting bigger too – increasing their vulnerability. “The options for interacting with services are tremendous now,” Irons says. “Before, your sensitive information would be locked in a secure filing cabinet at home. Now, it’s available to anyone who has access to your mobile phone and it’s mystifying how many people still haven’t set up passcode protection to protect the content on their devices.”
More worrying still is how long it can take to realize that data has been breached. According to Irons, the average elapsed time before discovery is 210 days, by which time a lot of damage is likely to have been done.
So how can organizations make security a business enabler rather than a barrier to innovation, when the risks appear so great? If they want to be able to let users log-in via Facebook, for example?
Analyst firm Forrester believes that 2016 will be a turning point for consumers, whose trust in digital services will be defined by how robust a company’s privacy strategy is. This “can no longer merely focus on aligning with compliance requirements,” analyst Heidi Shey comments. “Forward-thinking organizations will take their privacy strategy a step further: they will seize the opportunity to champion privacy to build trusted customer relationships and drive business growth.”
Ultimately security and ID/access management needs to be holistically managed, and a lot more sophisticated – for example using deep data analytics and context-aware authorization.
“The goal is to ring-fence the user experience – making this consistent irrespective of the device or channel – and ensuring their confidence by making security seamless, robust and end to end,” says Capgemini’s Turner. “Ultimately, this means organizations need to start thinking differently about security.”