Afraid of data breach? Locking everything may not be the answer.

“Cloud first, mobile first” and the news of data breach becoming routine, company owners are more and more sceptical when realising that what we call their “digital company assets” could be available by external users in just one click. I am often asked this question by my clients, “can I lock it down so that nobody can share externally?”. So I thought it was worth a bit of braindump from my experience.

The answer may not be the simplistic one of locking everything down and opt for the ivory-tower policy!

Turning off all external sharing for users may be a short answer to a problem of trust. But they will need to share with external partners, customers so.. trust me 😉 they will find other ways to share, and then it will be even more disastrous if that data is duplicated outside the business’ environment and gets into the wrong hands.

What happens when a child if forbidden to play with fire without being taught the reasons? He will burn himself with something else!

Some 4 years ago, I recall speaking at a SharePoint conference and we were already predicting to customers that in the next decade what we call “end-users” will not be just users but “data agents”. With the reinforcement of the personal data protection in Europe this year, every business owner without exception should now be aware that these new users even have a specific title: data processor or data controller.

Trust vs. training.

Users can make mistakes, they are human! But (unless deliberate mischiefing) they cannot be blamed if they have not been trained on how to use the tools that are available for doing their work.

You mean sit in a training room?!

Training can take several forms

Training nowadays is not just the classic day long listening to a trainer explaining a tool where 70% of it do not apply to the user’s work. It can be a classroom training but can also take different form:

• workshop activity to define what the user’s tasks are and can be with the tool
• brainstorming on what a tool is for and what not
• group demonstration
• one on one remote screen sharing by the “IT Guy”
• and my favourite: – have a “Power user” (the champion who has used the tool a lot in the business), to organise breakfast or lunchtime sessions showing how they use the features and warn about pitfalls.

All these activities need to be suggested, if not coordinated within the deployment plan of the tool, otherwise they may not happen at all.

What to do for sharing the right way?

• Let your users share, but restrict what can be shared
• Publish clear rules for sharing and how to report when it goes wrong (ie. part of the organisation’s data governance)
• Train staff on how to share and what to share
• Define the governance in detail, apply it but also have the power to action it when it is not respected
• Examples of automated rules include:
  • enforce an expiration time to all sharing
  • allow sharing to only certain domains
  • allow sharing to only certain IP addresses
  • allow sharing of only some sites and not others
• And finally, review reports on sharing regularly!

Office 365 has some great features to configure and monitor sharing, for instance using activity alerts when a permissions has been loosened but I am more in favour for using a third party tool such as ShareGate. At Paperblade, we talk to business owners on how to make the most of current technologies at the lowest cost and in the most secure, reliable and responsible manner. Governance and sharing policies is a integral part of it.

What do you think?

My views are not set in stone and I do not believe that there is only one correct way, so please comment below or speak me to bounce an idea or start a debate.