My parents were a bit crazy; they had three children in three years. With all of us so close in age the fighting was nonstop. And whenever there was a mess or something was broken, a chorus of "I didn't do it" followed. Then we'd all be punished. So what do my childhood antics have to do with data security? Everything.
Quick, Hide the Evidence
When mistakes are made or policies are not followed, people have a tendency to "hide" the event and try to clean up the mess on their own instead of alerting someone who could help mitigate a potentially bigger problem. Much like my siblings and me, employees often think, "What they don't know, won't hurt 'em." This is so not the case with data security.
Unfortunately, while consequences keep people accountable for bad actions, they also discourage reporting, which is critical to data security. I have seen this first-hand in many organizations, and I have learned that right from the start employees must know that covering up or failing to report an incident will result in even more severe penalties than whatever the initial problem or mistake was.
3 Ways to Make Your Data More Secure (and Discourage Hiding)
- Make the leadership team role models for how to acknowledge mistakes.
- When I make a mistake (and I often do), I advertise it to my team instead of hiding it. I express that I am sorry and convey that I am far more interested in limiting the damage than I am in covering up. Mistakes are ultimately a learning experience for everyone; they give us an opportunity to minimize the chances of the same error happening again. What's more, if a mistake is out in the open, no one spends hours chasing a ghost problem that would be far easier to fix if we knew the cause.
- Managers, the buck stops with you. As the leader of my department I consider myself accountable for the actions of my entire team. When a problem or mistake occurs, I treat it as my own instead of publicly blaming or shaming someone. I handle corrections privately with the person who made the mistake; throwing someone under the bus is counter-productive and only leads to future "hiding" behavior.
- Other employees must avoid blaming and complaining, too. Do your customers want to hear a service person complaining that the IT department has made the computers slow, or caused some other problem? This is a negative behavior and is not good customer service.
2. Make it clear that mistakes will be tolerated—within reason.
- A "three strikes" rule might not be ideal, but employees should know that there are second chances. And new employees should feel like they can use experienced employees as a resource to check their work until they are comfortable. If I had a dollar for every mistake made because someone guesses instead of asking a question, I'd have...well, you know the rest.
3. Clean house if you need to. "Hiding" behavior can destroy organizations.
- I repeat, mistakes should be tolerated—within reason. When reason gives out, move to step #3. Occasionally it becomes clear that an employee remains more concerned about admitting mistakes (and keeps repeating them) than minimizing the damage to the organization. When you are working with sensitive data and confidential information, mistakes must be corrected, repairs made and behaviors modified.
- If the errant behaviors continue and the employee continues to hide and deny, it could be time to make a change. Ultimately you can't afford to take chances with your data security.
Data breaches are often caused by human error and are made worse by fear and non-reporting. Alleviating the fear up front and modeling good behavior go a long way toward keeping your data secure and your company's reputation in tact.