The NCSC is calling for accessibility to be a central tenant of cybersecurity strategies and defences.
“Accessibility is about ensuring that nobody is excluded from using something due to a disability or impairment,” according to Lee C, of the NCSC Sociotechnical and Risk Group.
In the UK, around 22% of working age adults are disabled, with and estimated 4.9 million people with disabilities in the workforce.
The NCSC commission report, Thinks Insights and Strategy, is part expanding effort to discover and understand accessibility challenges in cybersecurity.
The UK government announced in the Spring Budget that they will re-examine their disability welfare system by allowing those on disability benefits to work without losing their welfare benefits, as part of their wider efforts to get more Brits into the workforce.
But if certain work proves inaccessible, these efforts could prove as an impractical way to support people with disabilities into work and fill in the skills shortage.
According to the NCSC, there are many reasons to address accessibility, besides the obvious humane implications: legal compliance regulations, better operational outcomes, and attracting and retaining a more diverse set of talent to name a few.
Making systems more accessible would also mitigate human errors and make these systems easier to use for everyone. Human error is cited as one of the top reasons leading to cyber incidents, according to a Gartner report.
Failing to consider accessibility can increase these risks, Lee C writes.
How Security can be Inaccessible
Every aspect of cybersecurity can have some element in inaccessibility, and this can make the system harder for everyone to use.
Barriers around language, complicated interfaces, and audio or visual-only platforms can make even the most basic of security procedures inaccessible.
For instance, the well known red and green scale of security alters can be inaccessible to people for colour-blindness, but is still widely used.
Further, security procedures and technology that limits accessibility functions or are incompatible with accessibility tech can force workers to create un-secure workarounds or forgo systems entirely.
In addition, if accessible ways to recover from errors or access support are not present, this can exacerbate issues around reporting incidents.
“We don’t intentionally end up with security that is hard to use,” Lee C writes . “We often end up with it because we don’t factor it in to our security decision making, or because it’s seen as someone else’s responsibility.”
While human errors are thought to be one of the highest contributing factors to cyber incidents, considering accessibility is a great way of ensuring companies are actively considering human risk factors
Security that Works Better for Everyone
“In all cases, designing for people with disabilities makes things more usable for everyone,” Lee C writes.
While the workplace environment can introduce its own limitations, designing with accessibility in mind will create a more resilient working ecosystem that is better equip to face security incidences.
Further, training can only go so far is accessibility is not taken into account. While training can be valuable to introduce security procedures, if these are not accessible to everyone, no amount of training will change that.
The NCSC has provided several recommendations to improve accessibility in cybersecurity.
Collaborative working, with both security experts and those with accessibility needs, is vital in addressing both concerns.
Encouraging open and honest feedback continuously can help make the system better for everyone involved, and avoid making inaccessible procedures for future and current employees.
“Working collaboratively to make sensible exemptions and managing any associated risk is better than forcing people to avoid security, or suffering through not being comfortable enough to raise a concern,” Lee C insists.
2. Knowing when to – and when not to – compromise
There is no need to dilute security systems to meet accessibility requirements.
The key to this is flexibility, by offering users different ways to implement the same secure functions.
“Providing this flexibility has a secondary benefit in that it improves the resilience of your systems,” Lee C adds. “For instance, if one method of authentication were to fail, an alternative metho can provide a backup to minimise business loss.”
3. ‘Accessibility’ and ‘usability’ as requirements
Making accessibility and usability priorities when setting up security procedures or purchasing secure technology is a good first step to ensuring accessibility down the line.
Companies can work with suppliers and vendors to discover what accessibility functions are available, and where certain products may be inaccessibility.
They can also build their own framework by using and building upon the Web Content Accessibility Guidelines (WCAG) or other standards for accessibility.
Striving for more inclusive and effective cyber security
New research into the implications of disabilities in the workforce has allowed for more useful innovations across the board.
While there is still more work to be done, the NCSC is beginning to trial new approaches to build more accessible methods to cybersecurity.