Solving the Human Security Problem: An Interview With JD Sherman, Dashlane CEO
A version of this interview first appeared in the Future of Work 2021 report by Raconteur.
In the move to a hybrid work model, the pace of adopting online tools will not slow. Protecting organizations’ data requires human behavioral change through a strong security culture.
The coronavirus pandemic forced organizations to embrace remote working practically overnight.
They may not have been ready for it, but cloud-based businesses like Zoom and Slack helped most companies adapt quickly, shifting their focus from investing in their in-person workplaces to technology that enables staff to work efficiently from home.
The longer the pandemic has gone on, the more apparent it has become that workforce models will not return to what they were before COVID-19 changed the world. Offices will, no doubt, be populated again, but they are likely to serve more of a “pull” function, rather than the traditional “push,” within an overall hybrid working mix favored by employers.
Historically, businesses “pushed” employees to travel to the office every day to use the tools provided to get their job done. It’s taken a global health crisis to demonstrate, on a mass scale, that most people can do most, if not all, of their job by accessing the required tools from home. This means offices in the post-COVID world are more likely to “pull” employees in when they need to do what they can’t do very well at home, such as collaborate with teams.
In a recent study by Dashlane, a leading password management solution, 72% of office workers said they would like to work away from the office at least twice a week.
However, remote working creates new risks for the business and while setting people up to work remotely in the wake of the pandemic was reasonably successful, it created significant security challenges. Remote working may be here to stay, but lax security policies need to go.
“We saw a reaction to the need for people to work remotely, but I don’t think we saw a big change in the way employers or employees addressed security,” says JD Sherman, CEO of Dashlane, whose web and mobile app simplifies password management for people and businesses. “The challenge is security is not just a technology problem, it’s a human problem.
“As humans, we generally know what the right thing is to do, but sometimes we can’t bring ourselves to do it because we’re looking for shortcuts. We know we should have complex passwords and change them often, for instance, but it’s a headache so we tend not to do it.
“A human behavior problem is harder to address with technology and it is amplified as people are working from home with lots of online tools, and when work and home blend together.”
Dashlane’s research found that many people not only have poor security habits, such as using unsecure practices to create and track their passwords and other account information, but they also don’t feel a significant amount of friction or frustration in doing so. This is a concern for organizations as it suggests employees may not necessarily complain about workplace security policies and procedures; they simply choose not to follow them.
Without a strong security culture or the right tools, many employees view policies as an inconvenience at best. Some 35% of survey respondents said they feel overwhelmed by keeping track of all their account information and logins, and 49% admitted to creating their own tricks and shortcuts for managing logins. More than half of employees said they would feel relieved if they never had to remember another password ever again.
The greater reliance on cloud-based collaboration and sharing tools over the last year has created more instances of employees reusing passwords, connecting via unsecure or public WiFi, and using unpatched devices. This, in turn, creates a bigger attack vector.
Improving security means achieving a better blend between technology and humanity, which ultimately requires tools that align employees’ beliefs about security with their online behaviors.
“Businesses have got to start thinking about security differently,” says Sherman. “If you’re an IT administrator, you’re spending lots of resources protecting your endpoints and infrastructure, building the walls around it to provide security. But most breaches actually happen when they come through the gate rather than the walls.
“How your employees behave and their security habits are the big challenge and that’s only amplified as people are working outside the office in a connected environment.
“There are two sides to the equation. One is making employees realize their behavioral shortcuts—sharing, reusing, or saving passwords—creates a security risk. It’s the cultural journey of explaining why they need to have better password health and encouraging them to do that. The other side is making it easy for them to live their lives without having to bend over backward, which means taking the friction out of the process. That’s the way businesses must think about closing the gate on their security infrastructure.”
The second part of the security culture equation is served through an effective enterprise password manager such as Dashlane, which makes it much easier for employees to do the things their employers want them to do.
With Dashlane, they never have to remember a password again, for example, the tool will immediately alert the employee and the administrator if a password has been compromised and then assist them in changing the password. Users can also share passwords in ways that allow colleagues to access an application without actually knowing what the password is. When the colleague leaves the organization, they don’t take those passwords with them.
“The fundamental approach we take is recognizing this is a human problem, and we have to help our users along that cultural journey,” says Sherman. “For Dashlane, that means being the easiest password manager to use, buy and deploy.
“A password manager for an organization is only as valuable as the number of people who actually use it, so user experience is very important. We often hear that a customer’s spouse used Dashlane at home and then told their own employer to deploy it. People become evangelists of the product.
“We understand what people are trying to do online and the behaviors they’re exhibiting, and automate it in a way that’s both useful and safe. But the real differentiator is the ease of use and our approach to solving the human problems.”
Get Dashlane's full report, The Future of Security in the Hybrid Workplace, for free.