How To Drive Digital Employee Experience Without Compromising Workplace Security

Learn how companies can drive digital employee experience without compromising workplace security.

Last Updated: January 20, 2023

Cyber threats are increasing. With more companies going remote and hybrid, strict security controls are essential. However, too many strict controls lead to a poor digital employee experience and, thus, increased attack vectors. Here are a few ways companies can drive digital employee experience without compromising workplace security.

Cyber threats are intensifying, leaving business leaders grappling with how to respond strategically. Check Point ResearchOpens a new window reported that cyberattacks increased 32% in Q2 of this year compared to Q2 of 2021. Organizations are often left sidelined by cyberattacks because their cybersecurity approach does not consider the end-user opinion. Users are the weakest link, but sometimes excessive security controls can have the opposite of the desired effect, making it more likely your organization’s data will end up in the hands of a bad actor.

To improve their resilience against future attacks, organizations need to minimize their attack surface and potential vulnerabilities. In doing so, one area often overlooked is how strict security controls can lead to a poor digital employee experience (DEX), ultimately leading to increased attack vectors. 

Different parts of the IT organization often focus solely on endpoint support and maintenance, the digital experience of the user, or cybersecurity. The key to driving a first-class and more secure employee experience is holistically addressing these issues. 

Why Tightened Security and DEX Are Even More Essential in Hybrid and Remote Work Settings

As hybrid and remote work settings have become more commonplace, organizations need to have a DEX strategy in place to offer optimal IT experience and support to their employees both in the office and out. With the influx of devices and apps used to conduct everyday work and communicate with one another, bad tech days can translate to bad work days. Employees cannot efficiently complete their tasks, impacting productivity and the overall business bottom line. As such, it is essential to invest in a DEX strategy that proactively monitors and optimizes IT experiences so that leaders can understand what is disrupting employee performance. 

How it impacts an organization’s security measures is equally important in discussing hybrid and remote work. The shift toward digital everything has raised the security stakes for organizations as they now must deal with an increasingly distributed enterprise, resulting in increased threat exposure and security challenges. CIOs are grappling with how to address these issues effectively. 

It used to be the case that data resided in the office and on end-user devices (which were often also physically in the office). However, hybrid work has shifted this concept, with data living “in the cloud” and every laptop being considered an official workplace. As one CIO described, they went from having 186 offices in 2019 to today having to protect 56,000 offices. 

The Correlation Between DEX and Security

Security controls are essential to any business but can create digital friction when they become too restrictive. For employees, security is often seen as a roadblock to completing their work. For example, an abundance of security tooling and agents can cause device resource constraints. Poorly timed patching or reboot management can cause interruptions to important meetings. Restrictive controls for USB/removable drive access or VPN connectivity can negatively impact DEX by preventing users from getting critical work done. Security restrictions like these lead to employees trying to find “workarounds.”

Employees may take action to resolve work efficiency issues that seem harmless, such as trying to disable security agents or storing company data on personal devices they “have more control of.” However, these practices can compromise security entirely while doing nothing to solve the DEX issue. There are countless ways employees can negatively impact an organization’s security infrastructure when they feel overly squeezed by protocols they see as draconian. For example, this can be utilizing poorly patched personal devices to conduct their work (which can result in the unintentional storing of sensitive company information). Those same devices may lack anti-virus defenses and other security tooling common in the enterprise. Employees in more technical roles have an even greater technical ability to work around security protocols, even on protected corporate devices.  

At the same time, having little to no security controls is not a way to ensure a good user experience. It will inevitably lead to increased attack vectors and the likelihood of compromise by a cyberattack. Malware chewing resources as a device becomes a bot on the net or ransomware encrypting files and demanding bitcoin to release data are not good end-user experiences. Organizations can avoid this by following some best practices and leveraging technology smartly. 

See More: 4 Ways to Improve the Deskless Workforce Experience

Best Practices for Balancing DEX and Security

Regarding security, the most important component of any control is exception handling. To improve DEX and security simultaneously, organizations must be able to handle requests for exceptions to security controls in real-time. 

For example, rather than allowing users to be a local admin for a week if they only need it for an hour, an administrator can give it to them “on-demand” for an hour and remove it again, with the complete audit records, etc. 

Some tools even allow remote access to devices using RDP or similar methods to be enabled and disabled on-demand rather than leaving those ports and entry points open for potential abuse or misuse by bad actors.

Additionally, say that USB drive usage is restricted at an organization, but an employee needs to gain access to something stored on a drive immediately or share something via a USB key. A quick call, chatbot interaction or portal click can request approval, but the control also needs a real-time, remote-capable system to enable the user’s USB port. USB controls must also be re-enabled in real-time once the pressing need has passed. 

Security is often compromised unnecessarily in many organizations because real-time exception handling is typically not available. Many current tools in the market do not allow for sufficient real-time or offline management of devices. When a change is approved, the change should take effect immediately, and full audit logs of the change, activity post-change, and reimplementation of the control should be kept.

Organizations should also remember that not all security tools are created equal; some are more effective and efficient than others. Security tools can lead to excessive resource consumption on endpoints, leading to poor end-user experiences. Hence, it is essential to measure the impact of security tooling on end-user productivity and device resources. 

Organizations should not dismiss the overlap between security and DEX when evaluating security efforts. DEX is just as essential as heightened security in today’s largely digitized workplace. An improved experience can improve security too. Organizations must strike a balance between both to deliver a safe and seamless digital employee experience. Security control management that works with users’ expectations for real-time response can improve security and improve end-user acceptance of controls and overall digital experience.

How are you driving digital employee experience while implementing strict cybersecurity controls? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON EMPLOYEE EXPERIENCE

Jason Keogh
With over 20 years experience in the software industry, Jason helps IT leaders in large organizations around the world identify solutions to the problems that plague them. An expert in the Digital Workplace and Cyber Security, Jason joined 1E in 2014 where he served as VP of Product, VP of Solution and Partner Chief Technologist before taking the role of Field CTO in 2022. Jason works with strategic partners, customers and internal field resources to better understand their needs and connects those requirements with Product Management and Engineering in 1E. Jason is an ISO standards editor involved in the IT Asset Management (19770) and Information Security (27000) families of standards. He is one of two global liaison officers between ISO/IEC JTC1 SC7 (Software & Systems Engineering) and ISO/IEC JTC1 SC27 (IT Security Techniques) for ISO.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.