Is end user training essential to data loss prevention program success?

The EU General Data Protection Regulation (GDPR) has certainly revived interest in data loss prevention (DLP): The compliance rules are expected to drive 65% of DLP buying decisions through 2018, according to a Gartner report.  

But for organizations implementing a data loss prevention program, it is paramount that the infosec team provides training to both execs and end-users about the benefits of such a program, according to Mohammed Lazhar, head of global security and compliance at Wolters Kluwer.

"From an end-user perspective, we are using tools that will engage them and teach them about spam and how to avoid spam, and with management it is [about] how you actually think from the security mindset without being a security specialist," Lazhar said during a panel discussion on DLP best practices at the recent Argyle CISO Leadership Forum.

In this ATE, he details the training initiatives his organization has used to ease adoption of its data loss prevention program.

Editor's note: The following transcript has been edited for clarity and brevity.

How do you train people on DLP?

Mohammed Lazhar: The challenge with DLP is that historically, it has been approached more from a technology perspective. It's really more people and process than technology, and the people side is obviously the users. You can actually pick scenarios from the tools or from the monitoring capabilities that you have and teach users how to avoid those specific scenarios. But if you continue to do the same thing and continue to monitor, then it's not a model that will scale very well.

You can actually pick scenarios from the tools or from the monitoring capabilities that you have and teach users how to avoid those specific scenarios.

There's clearly a malicious aspect to an insider threat, and that's not something to be overlooked or neglected. But in general, 80% of the users are accidentally sending information. We try to use scenario use-cases to actually teach and inform users so they can avoid those accidents, and we figure out an alternate solution for people to share information.

Training about the importance of protecting certain types of data, and the risk and the impact of that data being exposed or leaked, is also a technique that allows the employees or users within the organization to be part of the solution. It helps them understand that they are not being dictated to or being forced to take an action. They then stop seeing the data loss prevention program as an inconvenience.

We actually did what we call roadshows last year. We had workshops and presentations where senior leaders were displaying slides and educating the communities within the organization about the value of security and data protection, and the importance of the user's role both at home and at work.

The importance of that was actually the feedback that we got from the users. We are trying to incorporate some of that feedback because the users don't understand why you are asking them not to do something, and in some cases they are just desperate for automation and for tools to help them. Instead of just focusing on DLP, we are really trying to focus on how we can solve that problem. I think by solving that problem, you are really solving the DLP issue.