Transformation resistance is a natural response
Change is uncomfortable and requires new thoughts and behaviors. It is very difficult for people to predict actual situations they will face before the transformation is caused. Therefore, it is easy for them to insist on the known situation instead of embracing the unknown world. When an IT or data security team promotes the information security system and information security system, it is inevitable that they will encounter resistance and blockage from various departments. Compared to human related problems, technical details and operation procedures are the problem which can be most easily overcome.
Characteristics of data security system
There are many types of data security systems and not every type is resisted by the users. For example, a firewall or anti-virus software will not be resisted. For a user, such data security software is helpful and useful. The motive and purpose match each other. Generally speaking, there will not be great problem. However, anti-leakage systems such as DLP and DRM data security systems may have great blockages for promotion. Such data security systems cause a certain impact over the work by the users:
- Work habits are changed, inconvenience is caused and efficiency is affected
One of the critical factors determining the success of the introduction of the system: every person has his or her own work habits which are formed in long-term work training and experiences. Once such process is changed or inconvenience is caused and smoothness is affected, then resistance must be caused. For the sake of data security, business operation must be also considered and the impact must be minimized to an acceptable level. - The user is offended and the moral legitimacy is questioned
The DLP system has the main functions such as monitoring, controlling and recording. The operation behaviours, program execution, website browsing, file operation and device connection by the user on the PC are monitored to a certain extent. Such contents cause the user to feel that he or she is offended and the legitimacy of the deployment of the data security system by the company is questioned. Besides, GDPR is adopted and implemented and employees mind more on the contents collected by the system. If the situation permits, each employee should be made to have an opportunity to conduct discussions and provide feedbacks before promotion. The management should disclose policies and targets for data security management to enable everyone to understand the purpose of policies and thus reduce doubts. - Planning of roles with rights and responsibilities is inappropriate
In the past, the IT department or management department took full charge of the promotion of data security affairs and there was no design of special roles. For the promotion of information security system, the introduction of the IT system is not enough but relevant management measures and setting of management roles should be also considered. For example, the IT department is responsible for system operation and maintenance, management department or data security department is responsible for policy development and examination and the auditing department is responsible for auditing recorded contents. From a practice perspective, this promotes the data security system and some data are not stored in the system of the IT department; the finance and human resource departments do not agree that these data are accessed by irrelevant personnel. Which role can check and read IM contents and records? X-FORT considers the management role and scope as well as requirements for auditing mechanism. For example, a certain administrator can assist the auditor in accessing the records but actual files are encrypted and cannot be opened until the password for auditing is provided.
Monitoring or protection?
To protect the benefits and interests of the company and various production outputs, it is indeed necessary to monitor all equipment and systems in the environment. Keeping evidences is a guarantee for both the employer and employees. In the past, it was uneasy to provide evidences for electronic activity records and there was not necessarily effects even though records were provided. Records generated from the original system (such as OS) are partial to system activities and can hardly prove the correlation with the acts of the user. The DLP and electronic data monitoring system exactly make such shortcomings worsened. Maybe accurate user records can exactly prove that you are innocent? To a certain extent, data security policies mandatory by the system can also prevent against the unintentional fault made by the user which leads to leakage. This is also a protective measure.
The data security system is one of management tools implementing data security management and focuses on personnel management to a great extent. If everyone is made to believe that the interest objectives are consistent, this is of course optimal. The greater reality is that the scope which can be accepted by everyone can be only coordinated and it is almost impossible that no resistance or rebounding is encountered.