The answer may not be the simplistic one of locking everything down and opt for the ivory-tower policy!Turning off all external sharing for users may be a short answer to a problem of trust. But they will need to share with external partners, customers so.. trust me ;-) they will find other ways to share, and then it will be even more disastrous if that data is duplicated outside the business’ environment and gets into the wrong hands.
What happens when a child if forbidden to play with fire without being taught the reasons? He will burn himself with something else!Some 4 years ago, I recall speaking at a SharePoint conference and we were already predicting to customers that in the next decade what we call “end-users” will not be just users but “data agents”. With the reinforcement of the personal data protection in Europe this year, every business owner without exception should now be aware that these new users even have a specific title: data processor or data controller.
Trust vs. training.Users can make mistakes, they are human! But (unless deliberate mischiefing) they cannot be blamed if they have not been trained on how to use the tools that are available for doing their work.
You mean sit in a training room?!
Training can take several formsTraining nowadays is not just the classic day long listening to a trainer explaining a tool where 70% of it do not apply to the user’s work. It can be a classroom training but can also take different form:
- workshop activity to define what the user’s tasks are and can be with the tool
- brainstorming on what a tool is for and what not
- group demonstration
- one on one remote screen sharing by the “IT Guy”
- and my favourite: – have a “Power user” (the champion who has used the tool a lot in the business), to organise breakfast or lunchtime sessions showing how they use the features and warn about pitfalls.
What to do for sharing the right way?
- Let your users share, but restrict what can be shared
- Publish clear rules for sharing and how to report when it goes wrong (ie. part of the organisation’s data governance)
- Train staff on how to share and what to share
- Define the governance in detail, apply it but also have the power to action it when it is not respected
- Examples of automated rules include:
- enforce an expiration time to all sharing
- allow sharing to only certain domains
- allow sharing to only certain IP addresses
- allow sharing of only some sites and not others
- And finally, review reports on sharing regularly!
What do you think?My views are not set in stone and I do not believe that there is only one correct way, so please comment below or speak me to bounce an idea or start a debate.