Q
Problem solve Get help with specific problems with your technologies, process and projects.

Is end user training essential to data loss prevention program success?

Regulations like the GDPR promise to enforce stricter data protection rules. While a data loss prevention program can help, it requires end-user training to ease adoption.

The EU General Data Protection Regulation (GDPR) has certainly revived interest in data loss prevention (DLP):...

The compliance rules are expected to drive 65% of DLP buying decisions through 2018, according to a Gartner report.

But for organizations implementing a data loss prevention program, it is paramount that the infosec team provides training to both execs and end-users about the benefits of such a program, according to Mohammed Lazhar, head of global security and compliance at Wolters Kluwer.

"From an end-user perspective, we are using tools that will engage them and teach them about spam and how to avoid spam, and with management it is [about] how you actually think from the security mindset without being a security specialist," Lazhar said during a panel discussion on DLP best practices at the recent Argyle CISO Leadership Forum.

In this ATE, he details the training initiatives his organization has used to ease adoption of its data loss prevention program.

Editor's note: The following transcript has been edited for clarity and brevity.

How do you train people on DLP?

Mohammed Lazhar: The challenge with DLP is that historically, it has been approached more from a technology perspective. It's really more people and process than technology, and the people side is obviously the users. You can actually pick scenarios from the tools or from the monitoring capabilities that you have and teach users how to avoid those specific scenarios. But if you continue to do the same thing and continue to monitor, then it's not a model that will scale very well.

You can actually pick scenarios from the tools or from the monitoring capabilities that you have and teach users how to avoid those specific scenarios.
Mohammed Lazharhead of global security and compliance at Wolters Kluwer.

There's clearly a malicious aspect to an insider threat, and that's not something to be overlooked or neglected. But in general, 80% of the users are accidentally sending information. We try to use scenario use-cases to actually teach and inform users so they can avoid those accidents, and we figure out an alternate solution for people to share information.

Training about the importance of protecting certain types of data, and the risk and the impact of that data being exposed or leaked, is also a technique that allows the employees or users within the organization to be part of the solution. It helps them understand that they are not being dictated to or being forced to take an action. They then stop seeing the data loss prevention program as an inconvenience.

We actually did what we call roadshows last year. We had workshops and presentations where senior leaders were displaying slides and educating the communities within the organization about the value of security and data protection, and the importance of the user's role both at home and at work.

The importance of that was actually the feedback that we got from the users. We are trying to incorporate some of that feedback because the users don't understand why you are asking them not to do something, and in some cases they are just desperate for automation and for tools to help them. Instead of just focusing on DLP, we are really trying to focus on how we can solve that problem. I think by solving that problem, you are really solving the DLP issue.

This was last published in February 2018

Dig Deeper on Enterprise data privacy management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps has your organization taken to implement a data loss prevention program?
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close