- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
- This new wireless carrier promises ultra-secure mobile phone service
NCSC: It’s Time for CISOs to Prioritize Accessibility
A leading UK security agency has urged organizations to help reduce cyber risk by ensuring accessibility is built into cybersecurity policies, processes and technologies.
Lee C from the NCSC’s Sociotechnical and Risk Group cited government statistics revealing that nearly a quarter (22%) of British working age adults are disabled, with 4.9 million currently in the workforce.
“There are many reasons to address accessibility, whether meeting legal requirements, delivering better operational outcomes, or attracting and retaining a more diverse set of talent,” he argued.
“Addressing accessibility also provides cybersecurity benefits by making systems more usable and making human errors or workarounds less likely. Conversely, if we fail to consider accessibility, these risks increase.”
He gave several examples of how security can be inaccessible for some people. These include awareness campaigns not written in simple language; complex interfaces and audio-only/visual-only warnings; and color schemes that may be inappropriate for those with color blindness.
Lee C argued that accessibility is often seen as “someone else’s responsibility,” or that usability and security cannot co-exist.
“This is surprising given the number of incidents which still claim ‘human error’ as a contributing factor,” he added.
“Considering accessibility within your security requirements is a great way of ensuring that you are actively considering your ‘human factors risks,’ and that you are stress testing your security against the conditions where people will find it most difficult to use, and where human errors will be most likely.”
The NCSC recommends that security leaders:
- Consult more in their security decision-making processes and encourage feedback
- Be open to different ways of realizing their security requirements: i.e., don’t compromise on the “what” but be flexible on the “how”
- Treat accessibility and usability as an intrinsic part of any security requirement, rather than a separate add on, including asking vendors for accessibility statements on their products