• Do employees/end-users resist IT process changes? If yes, then why?
• Why changes (even if necessary) in internal IT processes are not readily accepted by employees/end-users?
• How can organizations address employee/end-user concerns?

In two of our earlier blogs, we have discussed the reasons why people resist changes in the organization and how to overcome the challenge of resistance. In the last one year, there has been a sea change in the work culture of most of the organizations globally. Work-From-Home (WFH)  has been adopted by the majority of organizations due to the pandemic. 

Nevertheless, the changing dynamics in the IT landscape have increased access control challenges. This, in turn, has altered the IT policies and procedures that could lead to friction among employees. 

From a security and compliance perspective, reinforced access control is important, but for a frictionless IT environment a candid talk with the employees/ end-users is necessary. In this blog we discuss some major IT security trends and how the GRC managers can allay end-users’ concerns. 

Treading a balance between people and IT policies 

While most of the organizations are adopting robust remote access control technologies to address the challenge arising from WFH (Work From Home), the employees’ concerns are often ignored. The employees’ interpretation about the changed work culture, eg. What they are thinking about the new IT practices and procedures, are they facing any discomfort – all these questions remain unattended. Needless to mention, both the employees and the organization need to address these before it’s too late. 

Let’s discuss some of the IT practices that are important to IT security, but misconceptions among end-users could lead to ineffective implementation of the same. 

• Why Just-In-Time (JIT) Privilege?

About 75% of data breach incidents start with abuse of privileges across the world. In order to manage, monitor and control privileged activities in remote work conditions, organizations count a lot on the JIT privilege principle to avoid the risk of excessive standing privileges. Now, an end-user who had the liberty of all-time privilege might raise his/ her concern. Explain that to implement the JIT principle is not about reducing their liberty but to adequately protect endpoints and critical infrastructure from unauthorized access. The JIT practice reduces the privileged account attack surface.

• Why End-user Behaviour Monitoring? 

Many organizations are adopting predictive security mechanisms over preventive measures. Hence, continuous monitoring of the end-user behaviour is the best way to ensure improved vigilance. Implementing this security practice might throw a presumptive message to the employee that his/ her service is under observation and that they are being intruded on. Explain that end-users’ monitoring is not about intruding into privacy but to ensure everyone works on a configured baseline IT policy. It eventually helps to increase the end-user productivity. 

• Why Rule & Role-based Access Control?

The rule and role-based access control mechanism is the only way to ensure restricted and authorized access to systems. In a vast and distributed IT environment, especially in a remote work environment, organizations face the challenge to manage and monitor multiple end-users. The employees, at this juncture, might nurture a feeling whether their employer is denying the access due to mistrust? Explain that a role and rule-based access to systems enhances IT oversight and governance. This practice helps to implement the principle of least privilege for a robust compliance framework.

• Why Too Much of Authentication?

In today’s complex remote IT environment, it is important to find out whether or not the user activity is happening through a legitimate device. Multi-factor Authentication (MFA) along with Adaptive Authentication based on some anomaly-detection criteria like geo-location, IP address or typing speed of the users helps the administrators to find out the suspicious user and take immediate action on it. The end-user may say that logging activity is causing too much frustration. Explain that in remote work environments, sophisticated cybercriminals can exploit the access control loopholes. MFA along with adaptive authentication is important to ensure network security. 

Conclusion

The employees can’t just be informed about the changes happening; the intimation of a change in policy/ technology should also include why these changes are happening and how the company would be benefited with this. This definitely reduces or alleviates the friction.