The Importance of Accessibility in Cybersecurity Explained

The National Cyber Security Centre (NCSC) has recently released an article about the need for accessibility in cybersecurity.

It discusses how incorporating accessibility into the organisation’s cybersecurity measures can help keep the business safer. This discussion comes after the Thinks Insight and Strategy report that looked into the lived experiences of people with disabilities.

NCSC | Accessibility and Cybersecurity Report

This report was created after interviewing 22 people with different disabilities. The purpose was to:

• Understand how people with disabilities interact with cybersecurity
• Understand what works and what doesn’t when it comes to the impact of cybersecurity measures on the access to technologies and services online for people with disabilities
• Start the process of identifying possible solutions for improving the experiences of people with disabilities

Key Findings of the Report

Here is what the report found:

1. People with disabilities feel just as safe as the general population when accessing technology and going online
2. Whilst most reported that cybersecurity was not a barrier for them in their daily lives, many struggled with completing tasks online due to the measures in place
3. Not being able to engage with cybersecurity measures can affect the individuals’ security
4. Following measures that are not accessible can have significant practical impacts on people with disabilities
5. These measures may also have emotional impacts
6. Incorporating accessibility into cybersecurity measures can have a positive impact on the experience of people with disabilities

How Security Measures Can Be Inaccessible

According to the NCSC article, security measures that aren’t accessible can make the system harder for everyone to use. It went on to list some ways in which inaccessibility manifested in security protocols.

• Companies providing cybersecurity training in a format that’s not accessible
• Complex interfaces, buttons that aren’t properly labelled, text links that aren’t clear, or warnings that are audio-only/visual-only
• Colour-coded risk marking that might be difficult for people with colour blindness to decipher
• Feedback or error messaging at the end of a configuration change that’s not accessible
• A security step that’s so inconvenient for people with disabilities that they are either forced to sidestep it, increasing the potential risk, or avoid the task altogether
• Avoidance of updates in case users break compatibility with assistive technology
• A lack of accessible ways to recover from errors and access support causing a “near miss” to turn into a serious incident

The article emphasises that this is not a comprehensive list, but does demonstrate how accessibility is a necessity for processes and technologies both.

How Businesses Could Make Security Accessible

The NCSC article lists three ways of making security more accessible for employees, which are:

Collaborate With Employees

Businesses are encouraged to interact with the people who use processes to identify where individuals might have issues. If accessing specific functionalities requires colleagues to break security policies, that might mean rethinking the process.

Focus on “How” Without Compromising on ”What”

Whilst a business might need to be firm on the security requirements it needs employees to follow, implementing those requirements should be flexible. By allowing employees the flexibility to decide on which method they would like to use—for example, for multi-factor authentication—the system can be made more resilient.

Make “Accessibility” a Part of “Usability”

When planning the business’s cybersecurity protocol, it might seem that thinking about accessibility on top of is an extra task. However, the two are not separate. It is not enough to test the usability and security of tasks. It is also important to consider how these tasks not being accessible could affect users, and, in turn, the company’s security.

Every business today is concerned about protecting itself from online threats. One can have measures in place, such as regular testing of systems and networks or acquiring an ISO 27001 certification with the help of providers like DigitalXRAID. 

However, if those measures are not easy for everyone to use, people will find ways around them, nullifying them completely.

Parul Mathur

Parul Mathur has been writing since 2009.  That’s when she discovered her love for SEO and how it works. She developed an interest in learning HTML and CSS a couple of years later, and React in 2020. When she’s not writing, she’s either reading, walking her dog, messing up her garden, or doodling.