Organizations have many challenges when it comes to cybersecurity, and one that is top of mind for many is striking the right balance between the usability of data and upholding the proper security of that data.
The truth is, for most employees, security is an afterthought—they just want to have access to the data they need when and where they need it, and get their jobs done. Most security measures, however, reduce the usability of data.
For example, access control lists prevent users from accessing information and prevent them from knowing and understanding that data even exists. Encryption typically breaks real-time collaboration and search – and there’s nothing organizations can do about it. Search works by indexing information, so making it available again is counter intuitive as it defeats the whole purpose of protecting the data in the first place. Additionally, relying on employees to manage keys is like asking an employee to have a different password for every website—they just won’t do it.
So, how do organizations find the right balance when it comes to data security? Here are three tips to help organizations navigate this challenge:
1. Capitalize on employees’ willingness to participate in security – The good news is, most employees want to participate in their company’s security programs—if it doesn’t compromise their ability to do their jobs. This is the first step to ensuring your employees are all on the same page when it comes to your data security practices. Security training programs help make employees aware of their company’s security policies so they can make better, more informed decisions. In addition, making your company’s security strategy transparent makes it possible for an employee to know if they are compliant with policies or regulations. It also gives them the ability to provide feedback on areas that could improve things like usability.
2. Put some security power in the hands of employees – Organizations need to find the delicate balance of having employees make decisions about data protection versus always automating that protection. For example, if an employee needs to send a sensitive file outside the organization via email, that data security process should be completely automated to ensure the proper protection is applied. Employees can claim to understand what rules apply to what data, but in the end, mistakes can be made. This is an area where no chances should be taken to avoid the exposure of sensitive information.
However, employees can be given a bit more freedom when it comes to applying labels and classification to documents they believe contain sensitive information. Automation can be used to ensure the most sensitive of data is always protected, while users have the option to apply classification labels to less sensitive information if they deem it necessary.
3. Make sure users know they are participating in security – Raising awareness for employees that a data security practice is taking place is key. This dovetails with giving employees some power in that if you’re giving an employee a choice, make sure there are a limited number of choices, then meet the user where they are at. Using tools that provide visual indicators on applied protection and document classification, for example, helps alert employees to data security practices and gives them a chance to think about the choice more actively to ensure it’s the best one. It can also help remind them of the proper security practices.
Following these three strategies will help your organization not only adhere to data security practices, but also make sure that your employees are educated, empowered, and aware of the practices your company needs to adhere to. Additionally, for areas like encryption, organizations should use tools that ensure enterprise-wide encryption policies are easily adhered to and encryption doesn’t cause the organization to lose access to its own data.
Organizations should also manage keys for their employees and use tools that provide both the flexibility and security employees need to navigate data successfully and securely. And finally, being transparent about your security practices and expectations of those practices will no doubt help employees become stewards of security while also limiting the risks to your organization.
This article originally appeared in Help Net Security on July 8, 2021.