This topic is never-ending, at least at our company: security and usability stand in each other’s way. Signing in, for example, represents a deliberate barrier designed to increase information security. It also ensures that a user has to enter their username and password when they want to access content. I personally use a digital password manager to make the process of signing in and managing constantly changing and increasingly secure passwords easy and to achieve a high level of usability. And as a part of security audits, we also encourage all our employees to do the same.
Password managers like these are a good example of how usability and security can be interwoven to create an acceptable solution.
Another good example is Google’s two-factor authentication app. And sure, I know a procedure like this is almost always annoying, because you have to enter a random series of numbers in some app that you receive by text or email. Google, on the other hand, has already solved the problem of signing in to an app (e.g. Gmail) on your smartphone. If I am already signed into Gmail and my corresponding Google account, I can confirm this on another device (e.g. my notebook) by calling up the app without having to enter any numbers, which is less complex. Suddenly, an annoying security measure became a convenience.
It is not as if password managers or two-factor authentication make usability optimal. But they are a good compromise. And that’s what it’s all about in an intranet:
You can neither achieve maximum security, nor can you achieve maximum usability.
I caution against believing that you can purchase an “obviously insecure system” and publish “little business critical information” there. That sounds absurd the moment you say it. But that’s how many people actually think. Information from your company can easily be used for social hacking. Hackers use a combination of internal information to elicit trust, and then gather other information until they have enough to carry out a digital break-in.
The confidentiality of information is directly related to its relevance and appeal for a company. If you only intend to publish generic corporate propaganda, you can be consistent and use a public platform. But then it’s not an intranet and you will not attract any long-term attention from your employees. And if you publish relevant information, you need to secure it after all.
You have probably noticed by now that usability is extremely important to me. In contrast, however, most of our customers strongly favor security.
The best approach is to succeed in defining an approximate strategy together with your intranet team: Where do you want to position the project? Are security and usability equally important to you? If in doubt, what is more important, usability or security?
Some of your positioning in relation to these questions should already be determined in advance by your corporate culture, the type and nature of your business model, and the preferences of your decision makers. If you have clarity on this, it will help you tremendously in your further planning.
Link to this page: https://seibert.biz/intranetbooksecurity