top of page
Search

Security That Doesn’t Annoy People: Balancing Protection and Productivity

ree

Let’s get real: if your security controls frustrate your staff, they’ll find a way around them.

Every business has seen it—salespeople sharing files via personal email, execs refusing to use MFA, or teams uploading client data to unapproved apps because “it’s just easier.”

The problem isn’t that your people don’t care.

It’s that your security wasn’t designed for how they actually work.


The Productivity vs. Protection Trap

Too often, security is bolted on like an afterthought:

  • A new policy that adds steps without context

  • A control that works for IT but kills field operations

  • A restriction that looks great on paper—but breaks actual workflows

When controls slow people down, they disengage. And when they disengage, risk multiplies:

  • Shadow IT explodes

  • Sensitive data goes off-platform

  • Trust in IT and cyber teams erodes

It doesn’t matter how technically “secure” something is if no one uses it properly.


The Real Risk Is Workarounds

People are problem solvers. If something stops them from hitting their targets, they’ll route around it.

  • Locked out of a shared doc? Use personal Gmail.

  • VPN stalls? Send the file via WhatsApp.

  • DLP blocks a report? Copy/paste into a new format.

What started as a security policy now drives risky behaviour.


So How Do You Fix It?

You design usable security. Controls that feel seamless, sensible, and scalable.

Here’s how:

1. Start with Empathy, Not Enforcement

Talk to staff. Ask how they actually work:

  • How do they share data?

  • What systems do they rely on daily?

  • What slows them down?

Then design controls with them, not just for them.

2. Align Security to Real Roles

A CFO doesn’t need the same device rules as a frontline tech. A marketing exec might need to share large files with external creatives.

Segment your security policies. Make them fit the user, not the org chart.

3. Make MFA Invisible (Where Possible)

Modern authentication can be smart, not stubborn:

  • Only prompt for MFA on new locations, devices, or risks

  • Use biometrics or push approvals instead of constant codes

  • Integrate with identity providers to streamline access

Done well, MFA should feel invisible—until it matters.

4. Build for “Yes” Not “No”

Instead of blocking everything, build clear, secure workflows:

  • Need to share a file externally? Use an approved tool that logs access.

  • Need to work from home? Use conditional access, not blanket bans.

  • Need admin rights? Enable temporary elevation with approvals.

Make the secure way also the easiest way.

5. Train With Context, Not Just Rules

Don’t just tell people what not to do.

Show them why it matters—and what the better alternative is.

  • “Here’s why we block personal email—and here’s your secure sharing link”

  • “Here’s what happens when you ignore a warning—and how to respond next time”

Good training doesn’t blame. It empowers.


Final Thought: Respect Breeds Compliance

People don’t follow rules because they’re forced to.They follow them when they feel understood, supported, and part of the solution.

Security that works with people—not against them—is the only kind that truly works at all.

So next time you draft a policy or push a new control, ask yourself:

Will this help people get their job done—or get in their way?

Because if it’s the latter, the real risk won’t be the one you’re trying to stop—it’ll be the workaround they find next.

 
 
 

Comments

bottom of page