When a breach investigation team assembles after an incident at a company or organization, misinformed users often get added to the ‘suspects list’ because accidents happen that sometimes lead to holes in security. Though everyone in a company means well, just like accidentally dropping a glass or losing your car keys, the reality is that security mishaps happen. Effective cyber security controls can make these mishaps less impactful.
Yubico works with customers every day who are preparing diverse use cases for broad security key rollouts that almost always cause some cultural disruption. The key to change is incremental, with enterprises first taking the right steps to modernize their authentication infrastructure. A few recommended steps organizations should take include:
- Understand all your users, not just a majority and prioritize your high risk users and accounts.
- Answer the “why this change matters” question with clear communication. Employees are more likely to make a change when they understand why it’s important to their jobs and to their enterprise.
- Explain the workflow integration and the upside to what more can be accomplished. This will help allow for organic growth in non-primary use cases.
- Offer training sessions that demonstrate how easy the transition and use will be. Ensure your helpdesk is also properly training for support calls.
Modernizing authentication infrastructure is a large task, but once complete, the rollout can shift its focus to user adoption. With clear user communication plans and strategic approaches, companies can help avoid or mitigate user adoption concerns before they arise. After all, the goal is to make the secure option the easy option. Leveraging our experience, we’ve assembled a list of users that organizations should account for to improve MFA implementation security.
The Overachievers mean well, but they often cause problems by taking IT security into their own hands. They feel frustrated because they are sophisticated users who don’t typically need or want basic IT tutorials, but they’re also part of a small group within the company that may have been overlooked when a needs assessment was done. When they reach out for help, the helpdesk doesn’t have any solutions for them. When they email IT, they often get frustrated because follow-up questions begin at a basic level.
After a few failed attempts at getting help, they decide to fix it on their own. From their point of view, the company isn’t providing them with the tools they need to do their jobs. So they are justified in downloading whatever they need.
But what if Overachievers download something from a dubious source and create a point of vulnerability for the entire enterprise? Or what if they ignore a policy meant to protect them and the company?
How to safely enable Overachievers
The key moment in the Overachievers’ journey comes when they ask for help, but the helpdesk is unable to help them or doesn’t have an established escalation path. There are a few ways this can be avoided:
- Understand all your users — not just a majority. Every use case must be considered, even those that may involve more technical tools than others in the company.
- Have a procurement request process that offers approved exceptions and fast consideration. The offered technical options should have the strongest authentication protocols available. If the Overachievers can just click a few buttons for a quick result, then there’s no reason to draw outside the lines.
- Answer the “why this change matters” question with clear communication. Technical users are more likely to make a change when they understand why it’s important to their jobs and their enterprise.
- Don’t schedule a huge deliverable or disruption at an inconvenient time like the end of the quarter or during heavy vacation times. This is just common sense — the security team’s job is to make things seamless and disrupt as few workflows as possible.
Someone who doesn’t read anything from the security team can cause just as much of a problem as the user that looks for work-arounds. The Traditionalists might not attend security training, read emails from the security team or learn new authentication processes because they don’t think it has a direct impact on their jobs (at least not until the “forced upgrade” day). They may not trust the security team or believe that engaging with them will cost valuable time.
How to reach Traditionalists
Whatever the motives are for Traditionalists, they are a significant part of organizational culture so there should be a solid plan in place to reach them properly. Here are a few ideas:
- Repetition and using team-level communication channels are key. If Traditionalists receive regular updates on what’s happening and when, it gives them the opportunity to prepare and raise concerns before forced upgrade day. Rather than peppering them with emails from the security team or people they don’t know, work through direct managers to send communications. Emails are more likely to be read if they come from within Traditionalists’ unit. Better yet, have senior leaders mention it at an all-hands meeting.
- As much as possible, integrate the security update into existing workflows. Traditionalists just want to walk the same path they’ve always traveled. MFA implementation can’t always be seamlessly woven into workflows, but when it can there will be a lot less friction from Traditionalists and all users.
Cautious Users, unlike their friends the Traditionalists, aren’t ignoring your pleas for action and understand that there’s a security upgrade happening. However, they fear this could be a disruption to their workflow or they might have had a previous bad experience with the helpdesk or security upgrades and would rather avoid repeating it. They may take a little more coaxing than the average employee because they’re taking a “wait-and-see” approach rather than being proactive.
How to convince Cautious Users it’s time to upgrade
- All of the communication methods mentioned above apply for Cautious Users, but making the workflow integration as invisible as possible will help.
- Write a version of the basic communications tailored just for them. Cautious Users may act if they understand that the workflow integration is painless and that the change made may actually improve their daily routine. This should also include what testing has been done to ensure it will not cause adverse effects for them.
- Offer additional resources like you would for Overachievers, including in-person (or video call) training sessions that demonstrate how easy the transition will be.
- If all goes right you won’t reach the “flipping of the switch” with a large number of non-adopters. But if there are a few Cautious Users out there who are still hoping the upgrade will go away on its own, be clear that there is an end date and time when their equipment or software will be upgraded. Usually this kind of deadline works to motivate the last-movers, but prepare your helpdesk for a flood of last-minute users.
Most of the work described above comes before any project even gets started. Often, security project success relies on a previously established trust in the security team. Helping your employees put a human face to the request (i.e. they’ve met their security team either in person or on a call) will serve you well when the difficult transitions or workflow changes arrive.
In the coming years, as more of the enterprise’s budget is set aside for needed MFA security upgrades, security teams should be formulating a strategy to connect with all users, not just the ones that are already engaged.
Watch Yubico’s webinar “Empower the Workplace using Modern Authentication” to learn more about how WebAuthn helps organizations move away from passwords and toward a reduced password environment.