Why employee experience is now a cyber risk

by Black Hat Middle East and Africa
on
Why employee experience is now a cyber risk

For years, the idea of ‘digital employee experience’ (DEX) has been filed under HR priorities – an issue of productivity and satisfaction (and by extension, retention). But a new wave of research is pushing organisations to change this: because DEX is also a live security concern. 

When workplace tech frustrates or slows people down, they find ways around it. And those workarounds expand the attack surface faster than security teams can contain it.

Digital friction is expensive – and risky

Ivanti’s 2025 Digital Employee Experience report found that technology interruptions cost an average organisation of 2,000 employees around USD $4 million each year in lost productivity. That’s a financial issue, of course; but it also points to security vulnerabilities. 

The same study reported that:

  • 27% of employees regularly use unauthorised apps to get work done.
  • Nearly 40% bypass the IT help desk when they have a problem.
  • Only 23% of organisations consider their DEX strategy ‘advanced,’ despite widespread investment.

Those numbers matter because they map directly to shadow IT, unmanaged endpoints, and blind spots in monitoring. Employees aren’t (usually) malicious; they’re trying to be productive. But friction in official tools and support channels pushes them into insecure territory.

Culture and workflow design

We could focus on tech stacks here – on fixing the problems that cause those tech interruptions. But if we go deeper, this is about culture. When we interviewed Michael Montoya (CISO at Equinix) he put the value of employee experience like this:

“To ensure a seamless security experience, the key is integrating technology and training for non-security employees that effortlessly align with their daily workflow, without friction.”

“Security becomes seamlessly designed into the business processes or workflow in the same way you don’t think about the airbags in your car – they have an unobtrusive yet crucial role in ensuring your safety.”

Montoya’s emphasis on culture and alignment echoes the Ivanti report’s warning: security teams can’t treat DEX as someone else’s problem. Poor workflows and fragmented tools create precisely the behaviours (like bypassing controls) that increase risk.

It’s a global challenge 

The DEX challenge is not confined to one geography. A 2025 workplace trend report from DLL suggests that hybrid work has made digital friction more visible. Tech must enable people to collaborate seamlessly across locations – otherwise frustration builds and productivity falls. 

Meanwhile, another 2025 report from Ivanti – this one about technology at work – shows that return-to-office mandates often clash with employee expectations for flexibility; and that perceived inflexibility harms trust in leadership, as well as having a negative impact on motivation. 

The common thread is that when people feel forced into workflows that don’t support them, engagement drops. And disengaged workers are more likely to cut corners.

Tool sprawl and the visibility gap

One of the most noteworthy Ivanti findings is that 74% of IT professionals report tool overlaps, but 63% say consolidation isn’t a priority. On top of that, only 32% use unified endpoint management. 

That level of fragmentation creates visibility gaps. If your team doesn’t know what devices are connected, what apps are being used, or where performance bottlenecks occur, it’s just not possible to reliably monitor for compromised tech. 

The automation opportunity

The good news is that solutions do exist. The report also highlights where organisations can take immediate, tangible steps. For example, around 40% of organisations haven’t automated password resets, even though repetitive requests still dominate help desks. 

Automating low-value IT tasks reduces cost and frees up staff – and it also reduces the chance that frustrated employees will try risky workarounds when they can’t get fast support.

Designing for people, not just systems

People will always find a way to do their jobs. If official tools and processes make that harder, they’ll find alternatives. From a security perspective, every moment of digital friction is therefore a point of risk.

Organisations need to focus their response on bringing culture, process, and design together to make it easier for people to do their jobs – without having to bypass security controls or tech processes. As Montoya said in that interview,

“CULTURE, CULTURE, CULTURE. The statement that culture eats strategy for breakfast remains tested and true.

“CULTURE, CULTURE, CULTURE. … transforming mindsets and encouraging everyone to contribute to enterprise safety.”

“...it's about transforming mindsets and encouraging everyone to contribute to enterprise safety.”

That means:

  • Embedding security into workflows so it doesn’t feel like an obstacle.
  • Measuring employee experience as a security metric – not just a productivity one.
  • Rationalising tool stacks to improve visibility.
  • Automating repetitive support tasks to free employees (and IT staff) from friction.

Digital employee experience has become part of the security perimeter. Neglect it, and you create fertile ground for shadow IT, unsafe practices, and disengaged teams. Prioritise it, and you strengthen your organisation’s resilience.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles