Recent reports have revealed a high number of data breaches from city, borough, metropolitan & county councils.
According to a study led by privacy campaign group Big Brother Watch, local authorities recorded 4,236 data breaches during a three-year period from April 2011. Letters sent to the wrong address, laptops and smartphones left on buses and trains, and employees clicking on spear-phishing links are only a few examples of the lax attitude of employees towards data security.
And why is it councils that are appearing as frequent culprits? People who work in councils are not inherently lazy, negligent, or careless. There must be more serious problems regarding the attitude toward the issue of data security.
Perhaps it’s a question of employee motivation linked with employer engagement.
The question of motivating staff to do their best work – consistently - has always been an enduring challenge for executives and managers.
The philosophical dilemma surrounding employee motivation is the carrot or stick approach.
The 20th century was the time of Fordism, with Henry Ford, the founder of the Ford Motor Company, believing that a five-dollar, eight-hour day was enough to secure worker compliance on the highly productive assembly-line system. This carrot or stick approach worked well for unchallenging tasks when processes were straightforward and lateral thinking was not required.
But jobs in the 21st century have changed dramatically and so has the attitude to compliance. Employees are more self-governing, self-reflective, and skeptical about what they are doing and why they are doing it.
But are employers doing enough to foster these to motivate staff to maintain the necessary levels of compliance? Well how do we remedy this situation? How do we ensure that employees are constantly compliance aware and motivated to protect the information they work with everyday?
When challenged about compliance, board level executives talk about introducing fines or other regulatory practices, or even going as far to threaten custodial sentences.
But compliance is about being proactive rather than reactive.
The ideal compliance leader should start by clearly articulating why the company's compliance goals are important. Employees need context to comprehend what and why they are doing something. Avoid jargon.
It’s also crucial to make sure that employees feel comfortable approaching leaders in their organisation with any concerns they have. It is by creating these bonds through open conversations that we then build strong relationships and motivate employees to feel that they are playing an essential role in defending the organisation and its clients.
And finally having the technology in place that supports staff by helping them to acquire the necessary skills to be compliant and deal with sensitive client data in the appropriate manner is essential. The right compliance software can automate tasks, communicate new compliance strategies, and gather evidence of compliance (or non-compliance) in the case of a data breach or external audit.
The answer to the recent council attacks might be a more sophisticated carrot or stick approach that does not simply threaten employees with penalties and punishment, but strives to understand what motivates each member of the team to do their job accordingly and personalises the compliance strategy, to reduce the risk of data breaches and create a sustainable compliance culture.
Data protection starts at the top, business leaders need to engage with and educate employees to be compliance aware.