Just like water will always find a way through or around any obstacle, so will people find a way around any security measures you seek to implement.
You may think you have thought of the most foolproof method of managing your data, but as soon as you implement it and ride out the first wave of direct (and often blunt) feedback, people will start beavering away on ways to get around your processes.
Anybody who thinks otherwise is only fooling themselves and will be rudely awakened when a security or other serious data breach occurs.
The best way to remedy this and eliminate it as best you can is to create and reinforce an educative program that informs people of the reasons as to why you are having to implement these policies and not just labouring on the pitfalls of not adhering to your security policies.
As time consuming and labour intensive as it sounds, a period of open discussion and feedback sessions will alleviate some of the staff objections prior to drawing up your policies and generate an enormous amount of goodwill.
Everybody appreciates there needs to be some level of security, especially in heavily regulated or security conscious industries but nobody appreciates dictatorship levels of oppression when they are not completely necessary.
Simply saying it’s a disciplinary offence to not adhere to these policies without explaining them thoroughly first or taking an objectionable point of view on board will alienate you from the very people you are trying to protect.
We’ve all been asked by staff across the organisation if they can use third party file sharing services like Dropbox to share data etc. and had to refuse them on security grounds.
We all know they use these services (and you probably do as well) and trying to implement an internal, secure enterprise version of a similar technology is very time consuming to manage and expensive not to mention extremely difficult to secure.
Smaller companies with less advanced infrastructure will often use third party file sharing services as a low cost and logical extension to their infrastructure.
The security risk to their IPR is no less great than larger corporates but they thrive on the nimble and agile gain that using these services gives their businesses.
When new individuals join your organisation from these smaller and more agile business through acquisition or organic growth, they will quickly challenge any seemingly draconian procedures you have in place. They will challenge you that their agility and productivity is being stifled by these procedures with the very valid reason they are often brought in to disrupt your existing business working in precisely the way they need to.
We need to take on board these new types of people and the roles they perform, adapting the necessary rules and procedures to allow them to go about their business rather than stifling them with regulation.
This is challenging and a bit scary but as long as your security is not diluted too far, adapting to incorporate these new roles and working practices will show your willingness to change and adapt and will not go unnoticed across the organisation.
In the new arena of change and disruption, those who adapt will thrive and those that don’t…. Well, you know how that story ends.