Taking a People-First Approach to Data Security

​Don't share your passwords. Sign out of your computer when you're away from your desk. Don't bring sensitive data home. Despite years of exhortations from IT and HR departments to encourage employees to take steps to protect data and systems, breaches still occur. Employees have heard the messages over and over again, yet still fail to heed them.

What are organizations doing about data security to achieve better results? 

"The increase in cyberattacks has concerned me and my organization a lot," said Michael Hammelburger, CEO of The Bottom Line Group, a business consulting firm in Baltimore. His company has had "multiple incidents where hackers attempted infiltrating our systems and accounts during this pandemic period," he said. "Most scammers are taking advantage of this period when people are vulnerable." 

The remote workforce has elevated concerns about data privacy risks.

Chrysa Freeman, security awareness and training senior program manager at Code42, said recent research conducted by the company shows that 63 percent of IT security leaders say remote workforces pose a greater risk to data. This is true for a variety of reasons:

• Home networks are less secure (cited by 71 percent of respondents).
• Employees do not follow security protocols as closely as they do when they're in the office (62 percent).
• Employees are likely to use a personal rather than corporate device (55 percent).
• Employees believe their organization is not monitoring file movements (51 percent). 

Tackling these issues in the workplace and newly remote environments is critical for organizations of any type and size, Hammelburger said. This involves a joint effort between HR, IT and the executive board to review policies and communicate with staff. "Employees are important in disseminating policy awareness to ensure that compliance organizationwide is observed."

Focusing on a Fix

Tackling issues of data security involve both technology and people solutions. However, people represent the greatest risk for data breaches, according to Verizon's 2021 Data Breach Investigations Report (DBIR), Freeman said. In fact, "85 percent of all data breaches involve the human element," she said. That percentage suggests that taking a people-first approach to data security can pay big dividends. But it must be the right approach to gain their attention, generate interest and lead to action.

There are some important things companies can do to achieve positive results.

Enlist employees as allies rather than potential enemies. Too often, employees are positioned as—or feel as though they are—the enemy when it comes to data security risks.

Freeman advised against taking an adversarial approach with employees. "Assuming employees want to steal IP or trade secrets pits security teams and employees against one another and has the potential to contribute toward unnecessary security-related stress," she said. Instead, she recommended that companies start by "presuming most employees are just trying to get their work done and that their actions come from a place of positive intent."

Ongoing training and communication should also focus on positioning employees "as security heroes rather than adversaries," she said. "Instead of just focusing on malicious data theft, educate your team on common ways data is unintentionally leaked to raise awareness and prevent it from happening in the future."

Make security a focus from day one. "As with your overall company culture, building a positive-intent security culture starts the first day a new employee comes to work," Freeman said. "Security procedures and etiquette should be baked into your onboarding process."

Heinrich Long, a privacy expert with RestorePrivacy based in Cheyenne, Wyo., said the best way to build a strong cybersecurity culture and ongoing awareness is by training employees on desired practices when they are first hired. "When employees have held the same position for years and are used to their way of doing things, they are much less likely to change their daily routine. A brand-new recruit is the best subject for change, as these cybersecurity measures easily become part of their new routine."

Personalize the message. It's important for companies to carefully consider how they train, educate and communicate with employees about data security issues, said Todd Ramlin, manager of Cable Compare, an e-commerce company. After all, data security is not inherently interesting for most people.

To make the training more effective, Ramlin said, he tries to personalize it. "Personalizing training messages to their company role, knowledge level and interest in cybersecurity makes it more engaging and motivational," he explained. "Everyone learns in their own way, so I try to incorporate a variety of training methods and communication tools."

Personalizing the message can also mean helping employees understand the "what's in it for me" part of the message. "You can try to emphasize the importance of adherence by making the whole process personal and demonstrating how cybersecurity not only impacts their work life but their own personal lives as well," said Eden Cheng, founder of WeInvoice, a software company.

"For instance, you can emphasize how a security breach upon your enterprise can heavily affect their bank accounts and direct deposits," Cheng suggested. "You can also discuss how a cybersecurity breach can negatively impact a company's stock price, which in turn can have serious repercussions in terms of employee salaries or job retention."

Make it fun. This may seem like an oxymoron—can data security education really be fun?—but experts say it works.

"Instead of presenting the security training and best practices in a typically dry, mind-numbing and ineffective way, I try to make it fun for my people," Ramlin said. "I use gamification to make security training more appealing. It really gets employees engaged, connected and concentrating on the training."

Cheng suggested considering incentives for employees, including cash rewards. "Offering a cash reward for those who pass a security test is a big motivator and will make them remember all the security lessons they have been taught," she said.

"Make it a competition," suggested Tom Kirkham, founder and CEO of IronTech Security. "We score employees from high to low while using fun and unique usernames," he said. "Weekly quizzes and phishing e-mail simulations will generate a score ranging from the weakest to the strongest employee."

By using the scores to identify where their weakest links might be, IT, HR and other organizational leaders "can turn your weakest link into your strongest defense," Kirkham said.

Keep the conversation going. Data security isn't something that should be addressed only upon hire, once a year or when risks emerge. It should be part of an ongoing, organizationwide conversation.

In addition to using "in the news" examples of the massive impact breaches can have, companies should rely on the communication channels that employees already use, said Jenn Behrens, partner and executive vice president of privacy at Kuma LLC, a global privacy and security consulting company in Bristow, Va.

"The traditional watercooler chitchat has morphed into online messaging apps, such as Slack, which have become increasingly used by the work-from-home workforce to exchange information quickly, check in on each other, share organizational updates, post pictures of pets working next to us and more," Behrens said. This represents an opportunity, she said, to "take advantage of the prevalence of such tools by creating channels that focus on privacy and security topics." 

Lin Grensing-Pophal is a freelance writer in Chippewa Falls, Wis.