Q: My technicians monitor massive amounts of sensitive data and have access to multiple high-security clearance networks. How can I track them without creating an atmosphere of mistrust?
MSP technicians are the guardians of the galaxy when it comes to data security. So, the question you are asking is: how do you guard the guardians? And how do you do it without undermining your MSP’s working environment?
These are the right questions to be asking. With such an acute global shortage of tech talent, you want a work atmosphere that is pleasant and devoid of internal strife. No one wants to work in an atmosphere of suspicion and finger-pointing. Still, with data being more valuable than ever, there needs to be more stringent safeguards in place to protect it.
To better understand this balance of security and trust, Smarter MSP reached out to Dr. Jack Walters, professor of management at Dakota State University. Walters has a fairly extensive human resources and management experience and has studied the nexus of data security and ethics.
You may think that the answer to achieving MSP harmony should be technical, but it is more about focusing on the human aspects of it. Whether you are an MSP, a tech start-up, or a corner grocery store, the basic human principles are the same.
“It boils down to human decision making,” Walters says. People want to be valued and trusted.
Fostering an atmosphere of trust
Fortunately, there are some steps MSP owners can take to foster an atmosphere of trust while still keeping data safe.
Explain your intentions first: The sooner you inform your staff about the nature of security protocols involved in their work, the better, Walters shares.
“It is much easier to do this first rather than hiring someone and putting in security protocols afterwards. Doing that causes all kinds of uncomfortable feelings,” Walters explains. However, having a system of checks and balances in place from the beginning, makes the rules second nature. Walters isn’t a big fan of having a bunch of security cameras monitoring employees. Instead, he recommends using other less intrusive monitoring methods and building an influential company culture.
Leverage preset regulations: Walters points out that many rules about data protection are also laws. “You strengthen your case by telling people you are following the law,” Walters shares.
For instance, if technicians have access to sensitive medical data, you can put safeguards in place, not because you don’t trust them, but because HIPAA mandates it. Or you can electronically monitor technicians’ access to various financial data points because some regulatory laws state that it has to be done. Technicians won’t feel violated or mistrusted if your extra steps are implemented to stay legally compliant.
Work towards preventative measures rather than punitive: Walters says that employees should be told that high-security checks protect everyone and the best internal security is preventative, not punitive.
“The best thing is not to catch people after they have done it, but to prevent it beforehand,” Walters says.
A robust internal security program should be pitched to employees not as something to “catch” someone doing something wrong. Instead, it can show what an employee didn’t do. A sound, controlled system works to their benefit and creates avenues of exoneration if there is a conflict or question.
Create a company culture: What are your MSP’s mission and values? Is it speedy service, integrity, or affordability? Whatever it is, embrace it, make a mission statement, and repeat it often. Walters says that if your MSP’s stated mission is that you don’t ever mess with a customer’s data, never reveal it, and never misuse it, then keep repeating that message.
Creating a company culture can take time.“It is not something that can be done quickly, and involves a shared understanding among everyone,” Walters explains, adding that developing a company culture can take years. To be successful, everyone in the company needs to do the same things — from management down to the employees.
In the case of mishandling data
If a technician is caught mishandling data, then a variety of factors come into play as to how the situation could be handled. “That is a company decision. It depends on what the employee’s track record is, how long they have been there, and whether the incident was accidental or intentional, and whether it was a common mistake,” Walters explains.
Just like it is important to lay out security procedures ahead of time, it is equally important to lay out a road map of consequences for missteps.The key is to not forget humanity amid the technology. The one thing that hasn’t changed in the age of IoT, 5G, and SaaS, are humans.
“Technology is getting better and better, but how the people behave who are using it hasn’t changed at all,” Walters says.
Photo: Chinnapong / Shutterstock.