Bromium, Inc. has shared the findings of an independent survey showing IT security is hindering productivity and innovation across enterprises. The research revealed most security teams use a "prohibition approach" – i.e. restricting user access to websites and applications – a tactic which is hampering productivity and innovation while creating major frustration for users.
“At a time when competition is fierce, the risk of falling behind and being less productive is as big a risk to an enterprise as cyber attacks. Security has to enable innovation by design, not act as a barrier to progress. Sadly, traditional approaches to security are leading to frustrated users, unhappy CISOs, and strained relationships between workers and IT departments – all of which stifle business development, innovation, and growth,” said Ian Pratt, President and Co-Founder of Bromium. “This is unacceptable in a world where time to market is a vital driver for business success. We need to put an end to this catch-22 between security, productivity, and innovation – things need to change.”
The research, based on a survey of 500 CISOs from large enterprises in the US (200), UK (200), and Germany (100), is part of a wider report on the role of the end user in cybersecurity. Key findings include:
88% of enterprises prohibit users from using websites and applications due to security concerns; with 94% investing in web proxy services to restrict what users can and can’t access.
Unsurprisingly, these restrictions negatively impact user experience: 74% of CISOs said users have expressed frustration that security is preventing them from doing their job and 81% said that users see security as a hurdle to innovation.
Worryingly, security could also be impacting customer’s relationships and deals, as CISOs report that they get complaints at least twice a week that work has been held up by over-zealous security tools.
As a result, IT help desks are spending an average of 572 hours a year responding to user requests and complaints regarding access to websites.
All this frustration is creating an uneasy relationship between IT, security, and the user. 77% of CISOs said they feel stuck in a Catch-22; caught between letting people work freely and keeping the enterprise safe. A further 71% said that they are being made to feel like the bad guys because they have to say ‘no’ to users requesting access to restricted content.
A New Approach to Security That Brings All Sides Together
These figures suggest enterprises need a new approach to security. With revenue, reputations and share price on the line, those who look to new approaches to security will not only protect the business but have a competitive advantage.
“The way security works today is broken. It is unacceptable that end users are making help desk requests just to download documents and access websites they need to do their job,” Pratt added. “It is also unfair that IT and security are seen as the enemy when they are simply trying to keep the organization safe. But it doesn’t need to be this way. There is a way to let end users click with confidence while keeping the organization safe. It’s called application isolation.”
Application isolation puts the activities most often targeted by cybercriminals – downloading files, using applications, browsing the internet – into micro virtual machines. When these activities are initiated, the network is protected because malware is trapped inside the container. Restrictions on users can be lifted and employees can get back to work.
“This new approach to security transforms the relationship between the user and IT,” Pratt concluded. ”Now, instead of users calling IT to say there is a problem, they call to say they trapped some malware. Security teams congratulate the end user and then have the opportunity to extract and analyze the malware. This allows users, IT, and security to work together to gather threat intelligence that protects the business at large.”
The research was conducted by researchers at Vanson Bourne. The sample of 500 was made of 175 enterprises with between 1,000 and 3,000 employees, 175 with 3,000 to 5,000 employees, and 150 with more than 5,000 employees.