Components of a zero trust framework are necessary to secure our new remote and hybrid workforce. But some tactics can be problematic for employee workflow and retention. This article will explore how to improve security without losing employees' confidence.
The pandemic has forced organizations worldwide to rethink how they manage their teams. While remote and hybrid work models seemed far away from reality for most businesses, everything changed in 2020. Now, two years later, people have adjusted to flexible schedules and a largely virtual work environment. And while businesses may not be so keen on the challenges that come with managing employees from afar, they’re now at a crossroad.
"The Great Resignation"
Being met with what economists are calling “The Great Resignation,” enterprises simply can’t afford to lose in our new hybrid and remote working world. In the second half of 2021, more than 20 million people quit their jobs (U.S. Bureau of Labor Statistics). It’s not just boomers retiring early, either — attrition rates for millennials and Gen Z employees are quitting too. This is a huge problem for businesses, and even more so in industries like technology that require specialized skill sets.
Despite facing the highest attrition rates in modern history, it’s not all bad news. People are more vocal than ever about what they want in a job. It’s an employer's responsibility to listen and act on it whenever possible. Data from FlexJobs showed that 58% of respondents preferred to work exclusively remote post-pandemic, while 39% want a hybrid work environment. As such, many companies have permanently adopted some form of Work from Home (WFH) policy or flexible working plan.
While this is a great first step, granting employees’ wishes to work outside the office is only one part of the equation. Relearning how to engage and manage people from many locations is hard enough. But factor in building an IT infrastructure that supports this work style and is also secure is another challenge entirely. This is a major contributor as to why zero trust frameworks have become so popular in recent years.
Zero Trust Frameworks
According to Forrester, who coined the term, zero trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. When you consider all the new entry points for remote workers—insecure home networks, coffee shop WiFi, mobile devices, and more—paired with strings of recent phishing attacks, it’s easy to understand why a ‘trust no one’ policy sticks. But with its benefits come downfalls, from hindering productivity to, as the name implies, a distrust of employees.
What reason do employees have to trust their employer if they are seen as untrustworthy? What does that do to motivation? Beyond that, what do added security measures do to workflow and the ability to accomplish day-to-day tasks? Job satisfaction is a crucial part of employee retention and stifling that in the name of zero trust is not a good solution.
Finding the Balance
It’s clear that the balance between strong security measures and employee well-being is a fine one. However, there are ways to roll out zero trust initiatives that are less disruptive than others. One of them is to focus on critical assets first. Not all data in the enterprise is equal nor should the security tools protecting it be. By ensuring the most friction only applies to sensitive data you can limit worker frustration significantly.
Another smart tactic is to understand what ‘normal’ behavior is. When there is a lack of understanding about who has access to what across an organization, everything looks like an anomaly. This means inordinate friction will be applied to common access situations. To avoid this, make sure zero trust starts with a very thorough and accurate identity governance program.
Additionally, just-in-time access and reviews can be helpful. Too often, reviews and permission updates are done in a bespoke system that isn’t timely or aligned with daily business workflows. Permissions to the application layer are critical in any zero trust roll out, and the ability to review or add access at the point-of-need is key — especially in an environment in which employees are coming and going frequently.
Ultimately, better security is needed to protect the enterprise. This has never been more true than in the age of remote and hybrid work and The Great Resignation. While it’s critical for businesses to regularly assess users’ account access and adjust it as needed, there are ways to do this that don’t hurt productivity or breach employees’ trust. This is easier said than done, but it could be the difference between retaining talent or struggling to fill empty roles.
This article first appeared in HR Daily Advisor.