Spoiler: Sorry. These days, it’s becoming increasingly clear that security is becoming an even bigger part of “everybody’s business”. 

People instinctively feel their productivity is hindered by security

IT’s always been easy to blame the IT organization’s security measures for hindering staff productivity. For many employees security is an inconvenience, and they security policies and restrictions to be annoying and frustrating. After all, it’s understandable if employees are thinking, “I was hired to do my thing, and these security rules are just slowing me down”.

Is IT shirking responsibility?

Now, on top of that, the phrase, “Security is everybody’s business” has become more common. So, it might seem to some people like the IT team is just shirking its responsibilities for putting good security measures in place. But, in reality, it is virtually impossible for the IT organization to completely secure your business through automated technology alone. And it’s almost a certainty that having a highly secure work environment will impose some unpopular restrictions on what employees can do.


For example, guaranteeing that the right person is logging in to a business system requires strong authentication controls like “two-step authentication”, since attackers are becoming good at breaking into password-based logins. But for two-step authentication to work, you always need to be carrying your smartphone or a token device, which might not be convenient for some people. Fortunately, two-step authentication is becoming much more acceptable and common, as Adam Crate of Grade A mentioned in my interview with him in Episode #1 of the “Can I Be Phished?” video podcast.

Balancing security is always hard. But now with “cloud” and COVID-19…

So, more often than not, to reduce inconvenience, security restrictions might be set up to be less strict than they should be. This means that it’s up to employees to be aware of the limits on their organization’s security controls, and why they are configured the way they are. Without that awareness, employees can be expected to not only complain about the restrictions that are in place, but to occasionally do things that expose the business to risks.

This article cites the findings of a survey of 300 Chief Information Security Officers (CISOs), in which 80% of respondents said that they “can’t effectively manage excessive access to data in their infrastructure and Platform-as-a-Service (PaaS) environments.”

So, it’s not a big surprise that the same survey found that 80% of businesses have had at least one cloud data breach and 18% have had 10 or more breaches in the past 18 months.

Clearly, everybody needs to recognize the new limitations and make security their business more than ever

With this much exposure in the typical business IT environment, it is becoming clear now that employees need to be much more aware of the limitations of their IT security controls. And they must be informed on proper procedures to compensate for them. Unfortunately, not only will they will need to get used to being inconvenienced, but they will need to recognize that “Security really is everybody’s business”, or else they may be the cause of a major security breach, which could cost them their job.

To build “cyber herd immunity”, where everyone helps defend the organization, employees need to be engaged, educated and have the chance to practice their defensive skills. When they understand, and are confident, they will complain less about the burden.

Photo by Tim Gouw on Unsplash