During the 2020 UK lockdown, securing cloud platforms like Google Drive and Microsoft 365 became crucial. A recent roundtable by Metomic discussed balancing security with productivity, focusing on strategies like data labeling and fostering a security-first culture to protect data without restricting employees.
When the UK entered lockdown in 2020, businesses faced an urgent challenge: enabling employees to work remotely while keeping corporate data secure. IT and security teams at every level had to make fast decisions to balance productivity with security.
Many organisations successfully navigated this shift, but as discussions continue about employees returning to the office, new security concerns arise. The focus is now on securing cloud-based platforms like Google Drive and Microsoft 365 without introducing unnecessary restrictions. This challenge was the subject of a recent RANT roundtable, aptly titled "How to Strengthen Security Without Locking Down Your Employees."
ââSponsored by Metomic, the discussion was led by its CTO and co-founder Ben van Enckevort, who emphasised a key concern: the risk of overexposing data. Companies want to be agile, securing their data without creating obstacles that hinder employees from doing their jobs.
However, as businesses adopt more cloud-based tools, security risks evolve. For example, one participant said they were moving back to Google from Microsoft, as the latter âwas horrible.â This shift underscores a broader challenge: ensuring security across SaaS platforms without introducing unnecessary friction.
One potential solution is data labeling or tagging, a method of identifying sensitive data to prevent leaks. Van Enckevort explained that assigning a virtual âtop secretâ label to critical data helps employees recognise what must be protected. This approach empowers employees without restricting their ability to work efficiently.
The roundtable participants agreed that outright blocking emails or restricting collaboration should be a last resort. Instead, organisations should focus on understanding data contextâwhere it resides, how itâs used, and its level of sensitivityâbefore enforcing controls.
A key discussion point was the ease of making changes in SaaS environments. While flexibility is a benefit, it also introduces security risks. Google Workspace, for example, allows seamless collaboration with remote teams, but without proper visibility and data labeling, sensitive information could be exposed.
Participants also debated how to handle employees bypassing security controls. Rather than focusing on the small percentage who will always find a workaround, companies should prioritise security measures that support the majority of employees who want to do the right thing.
The concept of trying to âcatch someone determined to work aroundâ the controls being put in place was discussed, as a participant said that there is little benefit to spending effort trying to stop the âone percentâ who are the problem, when â80-90% are doing the right thing, the one percent will do it regardless so why worry.â
Beyond intentional policy violations, accidental data leaks are also a major concern. One participant noted a shift toward cultural change in security, where security teams meet employees where they are, rather than imposing rigid, impractical rules they can foster a security first culture and build a strong human firewall across the organisation.Â
Van Enckevort observed that organisations are increasingly implementing systems to catch accidental slip-ups. However, participants agreed that security awareness training alone isnât enoughâtrue progress comes from fostering a culture where security is an ingrained practice, not just a compliance requirement.
Another concern raised was the risk of over-securing data, which could make employees hesitant to share information at all. One participant suggested a "need-to-know" approach, keeping employees informed but avoiding unnecessary stress about data handling.
Some organisations take a different route, classifying all data as sensitive to simplify security controls. While this approach eliminates the complexity of segregating data, it also places heavier restrictions on how employees collaborate.
Other key topics included the risks associated with browser plugins, especially in collaboration tools, which one participant described as a âdisaster waiting to happen.â Another pointed out that once data access is granted, a breach is often inevitable.
Ultimately, securing SaaS tools is a delicate balancing act. Employees need the freedom to work efficiently, but businesses must also protect against both accidental and intentional security threats. In todayâs cloud-first world, security and productivity must go hand in handâand the right strategy can make that possible.