When the UK entered lockdown in 2020, businesses faced an urgent challenge: enabling employees to work remotely while keeping corporate data secure. IT and security teams at every level had to make fast decisions to balance productivity with security.

Many organisations successfully navigated this shift, but as discussions continue about employees returning to the office, new security concerns arise. The focus is now on securing cloud-based platforms like Google Drive and Microsoft 365 without introducing unnecessary restrictions. This challenge was the subject of a recent RANT roundtable, aptly titled "How to Strengthen Security Without Locking Down Your Employees."

​​Sponsored by Metomic, the discussion was led by its CTO and co-founder Ben van Enckevort, who emphasised a key concern: the risk of overexposing data. Companies want to be agile, securing their data without creating obstacles that hinder employees from doing their jobs.

However, as businesses adopt more cloud-based tools, security risks evolve. For example, one participant said they were moving back to Google from Microsoft, as the latter “was horrible.” This shift underscores a broader challenge: ensuring security across SaaS platforms without introducing unnecessary friction.

A Smarter Approach to Data Security

One potential solution is data labeling or tagging, a method of identifying sensitive data to prevent leaks. Van Enckevort explained that assigning a virtual ‘top secret’ label to critical data helps employees recognise what must be protected. This approach empowers employees without restricting their ability to work efficiently.

The roundtable participants agreed that outright blocking emails or restricting collaboration should be a last resort. Instead, organisations should focus on understanding data context—where it resides, how it’s used, and its level of sensitivity—before enforcing controls.

The Challenges of SaaS Security

A key discussion point was the ease of making changes in SaaS environments. While flexibility is a benefit, it also introduces security risks. Google Workspace, for example, allows seamless collaboration with remote teams, but without proper visibility and  data labeling, sensitive information could be exposed.

Participants also debated how to handle employees bypassing security controls. Rather than focusing on the small percentage who will always find a workaround, companies should prioritise security measures that support the majority of employees who want to do the right thing.

The concept of trying to “catch someone determined to work around” the controls being put in place was discussed, as a participant said that there is little benefit to spending effort trying to stop the ‘one percent’ who are the problem, when “80-90% are doing the right thing, the one percent will do it regardless so why worry.”

Beyond intentional policy violations, accidental data leaks are also a major concern. One participant noted a shift toward cultural change in security, where security teams meet employees where they are, rather than imposing rigid, impractical rules they can foster a security first culture and build a strong human firewall across the organisation. 

Striking the Right Security Balance

Van Enckevort observed that organisations are increasingly implementing systems to catch accidental slip-ups. However, participants agreed that security awareness training alone isn’t enough—true progress comes from fostering a culture where security is an ingrained practice, not just a compliance requirement.

Another concern raised was the risk of over-securing data, which could make employees hesitant to share information at all. One participant suggested a "need-to-know" approach, keeping employees informed but avoiding unnecessary stress about data handling.

Some organisations take a different route, classifying all data as sensitive to simplify security controls. While this approach eliminates the complexity of segregating data, it also places heavier restrictions on how employees collaborate.

Other key topics included the risks associated with browser plugins, especially in collaboration tools, which one participant described as a “disaster waiting to happen.” Another pointed out that once data access is granted, a breach is often inevitable.

Takeaway

Ultimately, securing SaaS tools is a delicate balancing act. Employees need the freedom to work efficiently, but businesses must also protect against both accidental and intentional security threats. In today’s cloud-first world, security and productivity must go hand in hand—and the right strategy can make that possible.