Cyber threats are continually changing, and new threats are emerging. One striking example is the impact brought on by the COVID-19 pandemic. Many employees have had to leave the safe confines of corporate networks and use potentially insecure home devices and networks to access corporate systems and data. Cyber hackers have been able to exploit this trend in many ways: by sending phishing emails which promise exclusive information about COVID-19, using bogus websites to trick users into typing in usernames, passwords and banking details for donations and fake relief efforts or temporary government loans and grants.

Organisations develop policies that prevent staff from being phished, but the side effect can sometimes hamper employee productivity. Moreover, people have to work and that almost inevitably leads to 'exceptions' in the policy in the way of shadow IT, including personal devices without updated anti-virus software, or unchecked USB sticks with the potential to infect entire corporate infrastructures. But when it comes to things like data protection and privacy and tasks like data replication and backup, not applying the corporate rules can lead to a host of complications - some of them very severe indeed.

A BETTER WAY?
There has to be a better way. We need to create a consumer-grade experience with a corporate security wrapper around it. These are almost diametrically opposite needs, with a tension that's complicated to resolve. It is a challenge to create a better user experience while deploying security measures for organisations working across various countries and partner organisations. And simple economics dictates that any new system will be in place for quite some time - meaning that it will become outdated against the latest consumer tech quicker than it can be kept up-to-date.

Where we are today is no longer fit for purpose. IT departments create long policy documents and force employees to review them annually, but the dos and don'ts must translate into something more dynamic. What this points to is that the people aspect of security is often more complicated than the technical. And ironically, new technologies could make things even more frustrating for users. What's needed is a change in security culture that treats users more like consumers, so we move away from the once-a-year security training event to something more interesting, enticing and lasting.

Getting there will require business and security teams working together, understanding and agreeing what risks are unavoidable (and planning appropriate security measures) and those where the risk outweighs any likely potential reward. Security has to speak the language of business.

THE SECURITY CONTEXT
As a starting point, cyber security needs to have a better handle on users. Today, access rights are generated service by service or system by system. This approach is too crude and too complicated. There are fewer face-to-face meetings now, but the need for executives to access corporate systems remotely remains. Blanket bans are unworkable and unnecessary.

Security is now moving towards persona-based rules, mapping reasonable behaviour for that person, and applying it dynamically. This is already in place in many organisations - at least in a rudimentary way. What's likely to be missing is context-sensitive role profiles, dynamically created for different types of users accessing data outside core working hours.

New 'digital experience' roles assist the shift in enterprise IT, modelled on the consumer environment, where services and products have experience 'champions' to ensure what is delivered is actually what the user wants and needs. For the enterprise user, this isn't just about making it look good: the task is to protect value streams delivered by how people work and to add value by mapping end-to-end workflows. The way forward is for cyber security and the enterprise experience owners to build in the right security as part of the design.

TOWARDS A NEW SECURITY CULTURE
The new way: emulate the launch of a consumer product. Look at the total experience for the 'customer' and design-in security as part of the overall value workflow. If we have the digital experience owner, we have a starting point to add value to the people who generate value. But users have a role too. Security teams can work as hard as possible to make everything 'secure by design'. Still, unless users take responsibility for doing their part, no amount of smart technology will keep an organisation entirely safe. When reimaging how every employee can contribute to an organisations' security posture and building a culture that fully integrates intuitive security, everyone plays a crucial role.