Balancing Security With Usability So Staff Follow the Rules Instead of Working Around Them.

A Sligo accountancy firm introduced a new policy requiring staff to use the company VPN for all remote work. Two weeks later, an IT review found that four of eight remote workers had stopped using it. Their reason was consistent: the VPN made video calls choppy, slowed file downloads, and was cumbersome to connect when switching between tasks. They had not announced their decision to stop using it. They had simply stopped.

The security team had implemented a control. The control had been bypassed. The bypass had not been noticed. The firm was now less secure than before the policy was introduced — because the policy created a false sense of coverage while actual behaviour had diverged from it.

This pattern repeats across Irish SMEs whenever security controls are designed for security without adequate consideration of usability.

The Security-Usability Trade-Off

Security controls that are genuinely unusable — that meaningfully slow down legitimate work, that require multiple steps for routine tasks, or that add friction without visible benefit — will be bypassed. Not by all staff, not immediately, and not always consciously. But the bypass rate will be non-trivial, and the bypasses will be invisible unless actively monitored.

The goal is not to eliminate friction entirely — some friction is the point of security. The goal is to apply friction selectively, at the points where it provides genuine security benefit, and to minimise it everywhere else. Staff who experience security as something that helps them do their jobs, rather than something that impedes them, comply with it. Staff who experience it as an obstacle find workarounds.

Where the Friction Is Worth It

MFA on initial login is friction that is worth it. A staff member who has to complete an authenticator app prompt when they first sign into Microsoft 365 in the morning experiences approximately three seconds of additional delay. That delay is invisible once it becomes habit. The security benefit — blocking the majority of credential-based attacks — is substantial.

Approval workflows for payment changes are friction that is worth it. A finance team member who must call to verify a bank change before processing it experiences a delay of five to fifteen minutes on that specific transaction. That delay is the entire protection against invoice redirection fraud. The inconvenience is trivial relative to the risk it addresses.

Dual authorisation for significant financial transfers is friction that is worth it. A 24-hour delay on transfers above a threshold while a second approver reviews the instruction is a delay that, in practice, affects a small proportion of transactions and has minimal operational impact.

Where the Friction Creates Problems

Overly complex password requirements create predictable passwords. A policy that requires 16-character passwords with uppercase, numbers, symbols, and no repeating characters, changed every 60 days, does not produce strong passwords. It produces Summer2026@1, Summer2026@2, and so on. The complexity requirement generates exactly the pattern it is designed to prevent.

VPNs that degrade video performance get bypassed. If your remote work VPN significantly degrades video call quality, staff will turn it off before calls and forget to turn it back on. The solution is either a split-tunnel VPN configuration that routes corporate traffic through the VPN while allowing video calls to bypass it, or a different VPN product.

Security tools that generate too many alerts create alert fatigue. A monitoring system that sends email alerts for every routine administrative action trains the recipient to ignore the alerts. When a genuinely anomalous event occurs, it is indistinguishable from the noise. Configure alerts for specific, actionable events, not everything.

Have you asked your staff what security controls they find most disruptive? The answer is more useful than the IT provider's assurance that everything is working correctly. Book a free 20-minute strategy call — usability assessment is a standard part of how we review Irish SME security programmes.

Designing Security That Staff Follow

Involve staff in the design. Before implementing a new security control, talk to the people who will use it. Ask what it would prevent them from doing. Ask what workarounds they can imagine. The answers identify friction points before they create bypass behaviour.

Explain the why, not just the what. A staff member who understands that the call-back verification step for bank changes exists because a specific fraud pattern targeting Irish businesses causes an average loss of €23,000 is more likely to apply it consistently than one who was told "it is a new policy." Context converts compliance from obligation to understanding.

Make the secure path the easy path. Single sign-on, password managers, and pre-configured MFA make security easier, not harder. If the secure way to access a system requires fewer steps than the insecure workaround, staff will use the secure way because it is more convenient.

Address bypasses without blame. When a bypass is discovered — staff using personal email for work documents, sharing passwords for a shared account, using unapproved cloud tools — the first question should be "what problem were they solving?" Answer that question with a sanctioned solution and the bypass disappears. Blame the bypass without addressing the underlying need and it moves underground.

Why This Matters Right Now

The NCSC Ireland's guidance on staff security emphasises that organisational security culture — the extent to which staff understand, support, and follow security practices — is a more reliable predictor of security outcomes than the sophistication of technical controls. A culture where staff are informed, engaged, and not resentful of security requirements is measurably more resilient [^1].

Security that staff bypass provides the appearance of protection without the reality. The appearance of protection is, in some ways, worse than acknowledged absence — it creates confidence in coverage that does not exist.

What Next

1. Survey your staff on which security controls they find most disruptive. Anonymous if necessary. The findings will identify the friction points where behaviour diverges most from policy.

2. Review your password policy against current guidance. If it requires complex passwords changed frequently, update it to require long unique passwords (managed by a password manager) changed only on evidence of compromise.

3. Configure your monitoring and alerting to focus on actionable events. If your IT provider's monitoring system is generating daily emails that no one reads, work with them to reduce the volume to genuinely actionable alerts.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Turning Your Staff From the Weakest Link Into a Security Asset
• Making Cyber Security Part of Your Culture: Incentives, Recognition and Leadership Behaviour
• Policies That Actually Get Read: Making Security Rules Short, Clear and Enforceable

[^1]: NCSC Ireland — Security Culture Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.