A company hires a contract web developer to help with updates to the website. The contractor isn’t given their own credentials to the back end of the site, instead one of the other developers shares their user ID and password. Once that contract employee finishes their project, they’re let go… but they may still have access to the site.

As a security leader, you see users come up with risky workarounds all the time, from sharing passwords for cloud services to recycling credentials for both personal and work accounts — despite repeated attempts to educate them of the security implications. Compromised passwords in the workforce carry significant implications; regulations such as the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) impose serious fines for shared credentials and lost data.

While you might be tempted to lock down data access altogether, you know that oversecuring your infrastructure is a recipe for shadow IT, user frustration and decreased productivity. How can you give employees the streamlined access they need to perform their jobs efficiently without exposing your critical data to insider threats? That’s where silent security comes in.

Learn to govern users and identities with silent security

The User Account Privilege Conundrum

Enterprises usually adopt one of two diverging strategies for identity and access management: They either take a loose approach to employee access or a restrictive no-privilege paradigm, and each strategy has its own drawbacks. Employee access to networks, apps and data can aggregate over time based on seniority, project, team or reporting structure. In many cases, this access should be significantly pared back, but isn’t due to a lack of standardized processes for granting access. When credentials are compromised in an overprivileged network, the risks of data loss can be much higher.

In contrast, no-privileged access is a paradigm inspired by an absence of trust for insiders. While it can seem like a way to simplify complex access management, the practice can inspire frustration. Users are often required to repeatedly verify identity and authenticate. Fifty-one percent of workers are likely to develop workarounds in the face of a frustrating user experience, according to a Forrester report. No-privileged access can create a false sense of security as employees lean on shadow IT. Last year, inadvertent insider error resulted in 20 percent of compromised data records.

Today, 60 percent of knowledge workers want productivity gains with better data access, according to The Wall Street Journal. As user expectations rise, security leaders face a tangle of competing risks: Strategies for identity and access management must scale across an increasing number of mobile devices and workplace apps. Simultaneously, the GDPR, HIPAA, Revised Payment Service Directive (PSD2), Financial Industry Regulatory Authority (FINRA), and other regulatory mandates and authorities have heightened requirements for secure IAM practices and audit pressures.

How Can Companies Balance Security, Productivity and Compliance?

The answer is silent security, which is defined by invisible safeguards that only intervene when necessary. Trusted users shouldn’t ever have a reason to detect silent security. This approach can protect your networks and data using multifactor authentication when necessary, instead of as a rule. IT teams can choose between automated frameworks for authentication to streamline the complex process of governing users and identities.

Behavioral analytics are at the core of silent security frameworks. By creating user profiles, machine learning algorithms can track data access and actions over time to identify potentially risky users based on real-time updates to risk scores. The system can continually enforce least privilege and granular access control, and audit and manage accounts based on user needs for data access.

Silent security is more effective than no-privilege approaches to security because it gives the IT team a streamlined, frictionless framework for identity and access management. This approach ensures that employees have access to the right data at the right time and helps security professionals prevent superfluous access. A defined framework for frictionless security allows the enterprise to simplify compliance and pursue digital transformation.

Transform Access Control

The average American adult has 130 unique password-protected accounts, according to a report from Dashlane. This drives enterprise users to cope with password fatigue by recycling credentials or employing risky workarounds. Single sign-on (SSO) capabilities relieve users of the mental load of remembering many different passwords with a unified authentication pathway into all workplace applications.

Business managers can group employee access to lower-risk apps and grant permissions based on business activity and need. The result is more flexible, user-friendly authentication that can bridge the gaps in access control as organizations pursue digital transformation.

Stay Ahead of Compliance

The average cost of regulatory noncompliance has increased 45 percent since 2011 to $14.8 million in 2017, according to Ponemon Institute and Globalscape. Silent security can help IT and risk professionals stay ahead of changing regulatory requirements with access audits and tools to prove compliance. Leaders can quickly gain visibility into policies and access and streamline communications between business and IT around access decisions. Organizations can continuously customize the ideal governance strategy for easier audit cycles by tracking compliance in real-time.

Streamline the Future

“Identity is its own solar system. Its own galaxy,” said Robert Herjavec, CEO of global IT security firm Herjavec Group, as quoted by Dark Reading. “The problem with users is that they’re interactive.”

Enterprises need solutions to handle the growing complexity of governing users and identities. Both overprivileged frameworks and no-privilege solutions can present productivity and security risks in a complex network of mobile workers, smart devices and workplace apps. Identity is the new enterprise perimeter, and smarter access management requires silent solutions to balance security, productivity and compliance.

Read the e-book: Govern users and identities

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…