Reducing data risks through employee engagement

Data security is not new, but the threat vectors introduced through remote working have changed. In a nutshell, there has been a drastic transformation in end user behaviour which is expected. I have seen various organizations address this situation differently, and in some cases we seem to be penalizing employees for innocent actions. This opens up an important debate, "Is a rigid security model in the best interest of an organization?"


I came across an interesting article from Brigette Hyacinth "Employees don’t leave Companies, they leave Managers", and likewise a security strategy should be seen in similar context. We need to ensure that people are not bothered or impacted to an extent where they avoid day to day tasks, which is a detrimental outcome for any organization. A security strategy must be people friendly and engaging, and below are few recommendations for mitigation of data loss specific risks:

- Risk notifications: It is strongly recommended to leverage friendly and informative notifications, thus educating employees that they have violated a security policy. This ensures that users are aware that something must be done differently, while they continue having a positive sentiment towards the organizational culture
- Security awareness training's: You may consider developing a suitable security awareness training for each data specific policy, and users with multiple violations may be assigned to the respective training. This serves as a deterrent to end users, and I have had significant success in reducing the risk volume with this approach.
- Blocking: This should be the last resort once the volume of data loss incidents have drastically dropped down. Employees hate to see a drastic change made overnight, but find themselves in a much more comfortable position when these changes have been communicated and implemented over time (with appropriate alternatives in place).

We are directly or indirectly managing the way people work, and the idea is to envision ourselves as not just security practitioners but also people managers. This approach will facilitate security as well as a positive experience for employees, which is the best possible outcome for any organization.


Published: 28th February, 2021
Author: Denis Kattithara