Last week I posted about the difficulty of balancing data security against the right of our users to control their own IT assets, the closing question being “how do we balance the users needs with our responsibility to ensure their data is secure?”
I’m convinced that education is a key element to getting this balance right, and when I thought about it, I realised it was simple.
I know how to explain best practice data handling to any user.
Data = Money
Think about it;
- People look after their money
- They keep their money in a special safe place, with several safeguards to ensure its protected
- They think carefully about how they transmit their money
- They wouldn’t give their money to strangers
- They only carry around the money they need, and everything else is kept in a safe place
- If they access their money they expect to be authenticated in some way
- They recognise the value of their money
If you replace ‘money’ with ‘data’ then you have a far more responsible user, who is aware of the value of their data, and wants to protect it. If they still aren’t buying the metaphor you can explore it further;
- If you lose data which is critical to your institution (design schema, software code) then may face disciplinary action and the institution may incur a cost to recover that data
- If you lose data which is covered by the Data Protection Act, your institution is likely to face financial penalties, and you could well lose your job
- If you lose research data, you have to do the research again, and you’re unlikely to get funding for the same research twice
- Some research funders actually require specific data management steps in order to qualify for funding
In a very real way, data IS money, it’s not just a neat metaphor.
If you can get this fundamental principle across, that only leaves the task of making sure users know where their data is. This is a barrier which I’ve come across before, people don’t understand the implications of actions they take on their PC.
How do we tackle this knowledge gap?
This is where the education comes in. If your users want to protect their data, and they recognise that it is their responsibility, then they’ll start getting interested in the “how”. There are two areas you can tackle the knowledge gap, each working with the other.
- Induction documentation (a ‘welcome pack’) is a good start, and should cover the fundamentals
- Online documentation covering best practice
- FAQ or Knowledge Base to help address questions
- Induction training, face to face or over the phone
- ‘Drop In’ sessions where anyone can come and ask questions
- Helpdesk training, making sure people call the Helpdesk if they have a question or issue, and making sure Helpdesk staff take every opportunity to communicate best practice and it’s benefits
If you can build up these two areas you are constantly tackling the knowledge gap every day. The users who miss induction and don’t attend drop in sessions can still benefit indirectly from this process by cross-training between users in the same department. The training should always encourage users to talk to each other and share best practice.
Help users to help themselves
Education of users on its own doesn’t solve the problem; some won’t attend training or read the documentation, and sometimes people just forget. This is where configuration management and reporting comes in, making it easy for the user to get it right, and harder to get it wrong.
- Configure client systems such that any well written software will always chose a network location as its default “Save As” location
- Configure applications as far as possible to choose to save data to network locations by default
- Make sure the places users commonly use to save data are redirected to network locations or backed up
- Change the default permission set to make it harder to save data to the local drive
- Where saving to network locations is impractical, make sure local data is backed up
- Use data reporting to spot where users aren’t using their network drives so you can investigate
Those areas (education, configuration management and reporting) will form a significant chunk of my work for the next 3-6 months as we look to improve usage of our data storage facilities here at the Clinical School Computing Service, if I come across any particularly effective solutions I’ll post them here.