By David Stanley

10 October 2008

Given that we are bombarded with stories about violation of security policies and termination of contracts, it is no wonder that as employees we are fearful of data – and the consequences of mistakes.

But it does not have to be this way. Yes, employees should take care of a company’s confidential data, but data leakage is not usually down to malicious intent. It is more likely that an employee did not understand the sensitive nature of the content of an e-mail or they were not aware the company had an e-mail security policy.

Take an induction programme for new employees, for example. Traditionally you put them in a room for a few days, bombard them with information on the company, the competition, the marketplace, how you do business, working conditions, sell them the benefits and tell them where the toilet is.

You probably also mention, albeit briefly, “does and do nots” regarding company information, use of technology and assets. And then, they become a fully fledged member of your workforce. Then your company develops, grows, changes on a continual basis – and as a result, what is important to you can also change – but do you ever think about updating the employee base?

That is my bugbear – would it not make more sense to choose education rather than blame? It would result in fewer headline-grabbing stories and a workforce that knows exactly under which boundaries they operate as individuals, teams and departments.

They would also be comforted by the fact there is a development structure in place which continues their education as the business develops and grows. Naturally, organisations also have a requirement to create a successful marriage between policy and effective technology to ensure they can achieve this holy trinity.

Here is my challenge laid down to all CEOs within the UK. Take a coin, mark one side blame and the other education; now flip it into the air.

Make a choice – continue on the path of blame, or take the path of education by educating your employees right from the start on what is important to the business. Do not let them assume it: make it clear what is considered an appropriate action and what is not.

I am not advocating that deliberate data breaches go unpunished, rather I am suggesting that the emphasis move towards education.

I would hope that companies will come to educate employees about the importance of data security rather than terminating them for e-mail violation.

This is not headline grabbing stuff, I know, but it would show that companies recognise that people make mistakes and have processes in place to keep mistakes to a minimum.