In some ways, corporate users are like children: They need, but rarely like rules, and many will try to find one way or another around them. “Use only this software and always keep it up to date.” “We’re blocking access to those websites you’re trying to visit.” “You must constantly be on the alert for ‘suspicious’ emails, and don’t open any attachments—ever!” “Yes, you are required to take that training class on how to protect corporate assets.”
Security measures like these are common in nearly all organizations. But are they working? The regular reports of successful malware and phishing attacks provide a definitive answer: No. In the noble pursuit of blocking malware, most security vendors and practitioners seem to overlook the fact there’s a real person browsing the Web and reading those emails. So it should come as no surprise that users will resent, and may even take actions to resist, any “solution” that’s too intrusive, too burdensome to deploy & maintain, or too hard to use.
In fact, it seems that the better the protection provided, the worse the user experience. I was reminded of this recently when I saw this Tweet:
PGP [encryption] is a social network for people who hated a good UX [user experience].
How true! Part of the problem is that software often ignores human nature. Consider, for example, how Google Cars wait (as they should) for traffic at a four-way stop to come to a complete stop before taking its turn through the intersection. But drivers on the traffic-packed streets in Silicon Valley make “rolling” stops, so the Google Car patiently waits and waits, and Bam! gets rear- ended again by a (much less patient) human driver.
But even if the anti-malware or anti-phishing software is sufficiently user-friendly, there are still the successful zero-day attacks, the unclassified websites that present unknown risks, and the inevitable (and irresistible) workarounds to the rules. “Oh, so you won’t let me access that website from my corporate laptop via the enterprise network? Well then, I’ll just use my handy 4G BYOD smartphone, which by the way, also accesses the enterprise network via Wi-Fi.” I met with a customer recently who preferred to get a text instead of an email given how stringent the processes were!
Ignoring the needs of end users does indeed have consequences. But there is another category of user, the IT staff. And their experience, while dramatically different from that of the end users they support, is of equal importance. Applying the “human element” etiquette for IT should accommodate three additional needs:
- Ability to integrate any new solution into the existing network infrastructure without a requirement to “rip and replace” anything
- Little to no on-boarding friction of end users to simplify deployment in large-scale environments
- At-a-glance dashboards and more detailed reports that analyze and organize raw data into easily digestible and actionable information
Dog-fooding is an awesome thing. It really lets you care deeply & experience what your customers go through every day using your product. Which brings me to our Isolation Platform. Every one of us at Menlo Security uses our Isolation Platform. It does remind us every day that there are real people behind our products doing everyday productive things. UX really matters, especially in enterprise security products. Next time you speak to a security vendor? Ask them if they use their own product.