How To Balance The Tech Side And The Human Side Of Data Security

By Cam Roberson, Director of the Reseller Channel for Beachhead Solutions

When it comes to a business’ data security strategy, it’s still a huge challenge to protect workers from their own carelessness, poor decision-making, and (occasionally) even their maliciousness, while also staying out of a worker’s way and avoiding data security becoming a cumbersome burden that harms productivity and leaves them irritated. This balance is no easy task, but it’s a critical one for most companies that can’t afford to sacrifice too much worker flexibility for obtrusive security protocols, or vice versa. The goal, then, really becomes having employees be functionally unaware of the security apparatus at work, and at the same time completely (or, more accurately, more-completely) secure.

The data security threats presented by normal human behavior are more varied than one might initially think, and even the best of intentions can precipitate a costly data breach. Companies suffering these data breaches are then not only exposed to legal repercussions for failing to secure data they are often obligated to protect, but they also must endure damage to their reputation and the stigma of failing to safeguard their customers’ privacy (we’ve probably all gotten at least one mass email from an apologetic CEO explaining how our personal data got out). And, while cyberattacks involving hackers pilfering data over networks make the headlines more often, data breaches caused by the loss or theft of personal devices (those in the care and responsibility of individual workers) represent the lion’s share of data incidents across many industries. A case in point: the 2014 Healthcare Breach Report by Bitglass found that 68 percent of all healthcare data breaches were due to device loss or theft, with less than a quarter being the result of hacking.

The basic human factors in many of these instances are the carelessness (or efficiency, to put it positively) of workers in safeguarding data, and the greed of today’s data thieves. In our new bring-your-own-device workplaces, employees often have sensitive data accessible where it’s most convenient to them: on laptops, phones, tablets or USB drives they carry with them. This is efficient and generally perceived as good for productivity, but it quickly becomes a thorny issue when those devices aren’t properly secured. We’ve seen, on multiple occasions, USB drives carrying sensitive data with the passwords to access them written right on them in magic marker (enabling the magic trick of a whole lot of sensitive data disappearing). It’s common enough for data breaches to begin with an employee leaving an unsecured laptop in their car at night; when this happens it’s often the data and not the stolen hardware that is most valuable. There are also those cases that blur the line between carelessness and maliciousness, like last year’s case where Coca-Cola was hit with a data breach after an employee borrowed 55 work laptops. You know, to get some work done.

Employee training is incredibly valuable in educating workers on proper device and data security practices, such as not leaving devices unattended once credentials have been entered, and practicing proper password management (pro tip: don’t write it on the device). IT security tools such as passwords and data encryption can’t save the day in every situation, though, and it’s certainly advantageous if employees are motivated to act as effective caretakers of the data in their custody. But in the end, it’s most important that companies support workers by taking the responsibility for data security out of their hands, something usually done through data controls that can be implemented remotely. Companies need the abilities to delete sensitive data from compromised devices and to revoke access to users in the case that credentials are compromised (either because login information has been stolen or an employee has gone rogue.) It’s best policy to remove access for employees and contractors when they leave the company for whatever reason, and companies need the tools to stop access and remove data from ex-employees’ own personal devices as well.

Workers will naturally seek every opportunity to be efficient in getting work done, to the point of tossing security to the wayside. But in this behavior, workers must be respected — if security methods are overbearing and put the brakes on employees trying to accomplish their actual goals, they’ll never stop looking for a workaround. The right way to reconcile the need for data security with the human needs of employees is to implement security that steps so lightly it’s invisible, while ensuring it’s powerful enough to be effective, and training employees to understand why data security is so critically important.

Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.