Friction: flaw or feature?

David Gearing at Roc Technologies argues that friction is a necessary feature of digital user experiences, not a flaw

 

The relentless push for a seamless user experience is exposing organisations to greater threat surfaces and untold vulnerabilities. Features designed to reduce login friction or enable easier collaboration, such as a “trust this device” tick box or unrestricted file sharing, have left organisations vulnerable to avoidable cyber-attacks that are having unfavourable long-term effects.

 

Cyber-threats are also growing in sophistication as AI enhances phishing techniques, making them more difficult to detect and more likely to trick unsuspecting employees into clicking on malicious links.

 

However, whenever IT teams have tried to introduce controls in the past, they’re often met with internal resistance from staff who see security as an obstacle. That disconnect is the problem, and solving it starts with a shift in mindset.

 

The importance of clear communication

Security friction, whether it’s a second authentication prompt or restrictions on device access, should no longer be viewed as a hindrance and instead, as a deliberate, strategic safeguard.

 

However, organisations have gravitated towards making it too easy for staff to ignore security best practices in favour of convenience, and protective barriers have come down as a result.

 

But why has it come to this? A big reason is that users don’t want to keep inputting details for multi-factor authentication every time they open their browser. If a device is locked down by a number of security protocols, it can create frustration and reduce adoption. This then has the added impact of reduced ROI.

 

To combat this, IT teams might introduce a “trust this browser for 30 days” box to take that friction away, but even this simple compromise can allow attackers to bypass MFA protections and hijack a session.

 

In reality, we all have our part to play, and communicating the ‘why’ is pivotal to ensuring a mindset of collective responsibility. Without any explanation, restrictions feel like unnecessary frustrations. They may think that they’re being forced through hoops to satisfy a security mandate and this annoyance then encourages potential workarounds, such as shadow IT. In these cases, sensitive data can end up being stored on unsecured devices, making it susceptible to unauthorised access and data breaches.

 

What’s needed is clear, non-technical communication that explains the value of security controls in easily understandable terms. Instead of enforcing policies from the top down, IT leaders should bring users along with them. This means framing controls as tools for safety, not hurdles to productivity.

 

Reframing controls as business enablers

The perception of controls as bureaucratic red tape needs to change. Done well, security enables the business to function with confidence. And confidence among staff is sorely needed at a time when cyber criminals are regularly wreaking havoc on organisations’ trying to access their sensitive data.

 

For example, AI is being used to create nearly undetectable and highly sophisticated phishing emails that is fooling staff into clicking on malicious links or files in the body of the text. To make this even harder for employees to detect, we’re also seeing algorithms being able to accurately replicate the voices of trusted people in an effort to get users to hand over sensitive information.

 

Security tools such as desktop applications are providing value by encouraging employees to take a second before they action an email they’ve just received. Some staff may see this integration as a hurdle to completing a task, but it’s a highly valuable tool in helping to protect them from a potentially damaging threat.

 

When implementing a new software such as this, IT teams need to take time early on in the process to explain exactly why it’s being implemented and how it’s going to help protect workers in their day-to-day tasks, even if it means adding that little bit of friction.

 

Thoughtful design in the introduction of a new solution can preserve both strong security and a good user experience, if the implementation is carefully managed and staged. Quick fixes and rushed rollouts only add to user resistance.

 

A measured approach, combined with good change management, helps avoid unnecessary disruption, while helping to safeguard IP, protect customer data and maintain operational continuity at the same time. It might be necessary to talk to people who use potentially vulnerable applications and tools the most to gauge their thoughts on new security measures and how they can be implemented in the least disruptive way.

 

Safeguards over a slight inconvenience

Security and user experience have often hit an impasse, but treating friction as something to eliminate entirely has led many organisations down a dangerous path. With threat actors becoming faster, smarter and more convincing thanks to AI, businesses can no longer afford to prioritise ease-of-use over security.

 

Friction, when applied deliberately and communicated clearly, is a user experience feature, not a flaw. It can protect people, preserve data and prevent costly incidents. By involving users in the process, explaining the reasons behind restrictions and implementing changes with care, organisations can foster a culture where security is seen as a shared responsibility.

 

The safest user experience is one with the right safeguards, even if they do prove to be a slight inconvenience.

 

---

 

David Gearing is Network Services Practice Lead at Roc Technologies

 

Main image courtesy of iStockPhoto.com and tsingha25