Training employees to handle sensitive data safely is a fundamental step toward reducing an organization’s overall risk. However, many employees struggle to translate periodic training into daily behaviors. Fortunately, there’s a way to protect data and train users in real-time with immediate feedback: contextual notifications. 

Cyberhaven Labs analyzed anonymized data on user behaviors before and after policies for warning or blocking users were implemented to understand their effectiveness.

The results are clear: immediately notifying users of risky actions dramatically improves user behavior and reduces ongoing risk to the organization. In this post, we’ll show you why feedback is so impactful.

Feedback drives better outcomes

Feedback is necessary for learning and growth, from training large language models for advanced AI applications to humans learning new skills. The key is how often and quickly feedback is delivered, also known as how “tight” the feedback loops are. As a rule, the tighter the feedback loop, the more effective it is.

For example, imagine that you’re trying to learn a new language before a vacation. You could buy audio lessons and practice saying phrases in your spare time. Months later, you embark on your holiday, feeling confident in your language skills. Then, you get a puzzled look from a restaurant server and realize they have no idea what you’re saying. Why? Not enough feedback.

Contrast that scenario with learning through immersion: progressively adding vocabulary while speaking among native speakers. In that case, the feedback is immediate and far more consequential. It’s no surprise that immersion learning results in conversational fluency much faster.

The same is true for cybersecurity training. Most training happens only once yearly and involves example scenarios, not employees’ actual workflows. While this training might be necessary, it isn’t enough to deter risky behavior. That’s because the feedback loop is not very tight.

Let’s look at the data to see how behavior changes when users are presented with immediate feedback.

Three options for policies

Cyberhaven Labs analyzed anonymous behavioral data for 3 million workers to understand the effects of three kinds of policy implementations:

• Monitor: identify risky behavior and create an alert for the security team only, with no feedback to end-users
• Warning: alerting end-users with a popup window on their device that their behavior is risky but allowing them to proceed if they chose
• Blocking: stopping users from taking the desired action and telling them that it was blocked (and why)

Monitoring normal user behavior

The Monitor policy represents the baseline of behavior, as it describes how employees act without feedback.

Cyberhaven Labs looked at behavioral patterns for 20 days before implementing a warning or blocking policy, 60 days after that, and also when monitoring policies were deployed that only alerted the security team, which served as a kind of control group.

As expected, when companies implemented a monitor-only policy we found no impact to end user behavior. Whatever investigations the security team did, and any coaching to a handful of end users, had no impact in terms of behavior across the organization.

Warning users reduces risky behavior

What happens when notifications warn users about taking risky actions?

The following chart shows what happens after implementing a warning policy to notify and educate users.

Risky behavior was 73% lower after implementing a warning policy. 

Issues immediately dropped when users became aware that they’re being observed, get feedback, and are given a warning with the choice to proceed or not.

We can calculate these changes because Cyberhaven’s data lineage includes the complete history of data and user actions. Data lineage allows security teams to back-test policy effectiveness, rather than implementing a policy without data.

Warning policies are helpful guardrails, especially when some degree of employee discretion is required, such as when outside contractors or agencies are involved in critical business functions. Traditional policies that jump to blocking might be too strict and don’t offer any guidance. Email DLP, for example, could prevent a financial file from being sent to auditors – a legitimate reason – without any feedback given. Likewise, well-meaning employees might accidentally transmit a sensitive file if they don’t get a warning. 

Generative AI presents another example. In these early days of the AI Era, many employees are experimenting with free versions of generative AI tools. They need guardrails to prevent sensitive data from accidentally being uploaded and exfiltrated. A warning policy solves that use case exactly.

Blocking policies immediately protect data

Finally, let’s look at the effect of blocking policies, which immediately stop sensitive data movement and notify the employee. Much like with warning policies, the results are dramatic. 

Risky behavior dropped 88% after implementing a blocking policy. 

Once the policy was activated, the number of triggers indicating bad behavior dropped immediately and reset to a new, much lower level.

As with warnings, users engaged in risky behavior get immediate feedback. For users with malicious intent, a notification that they are seen and stopped will likely prevent further attempts at stealing data, given the severity of the notification. For users who merely make mistakes, the immediate feedback teaches them good security practices and informs them of what kinds of data they need to handle more carefully.

Returning to the earlier example about generative AI, a blocking policy would prevent a malicious user from uploading sensitive documents to their personal account in ChatGPT, Gemini, Claude, etc. Likewise, users who might be making a good-faith attempt to get work done faster would learn why they can’t use a personal generative AI tool for analyzing or summarizing sensitive information. That might even lead the organization to procure vetted and authorized tools that improve productivity.

How to implement warning and blocking notifications to lower risks

To summarize:

• Both warning and blocking notifications dramatically decrease risky behavior.
• This decrease is durable.

How can companies implement notifications like these to give employees immediate feedback?

There are three key requirements:

1. Endpoint agents
2. Data lineage
3. Unified platform

Endpoint agents

The impact of real-time notifications, and thus feedback loops, also demonstrates why endpoint agents are necessary for a comprehensive data security program. Instead of sending an email notification after the fact or generating technical errors in the background, which are invisible to users, endpoint agents can generate native notifications with plain language in the operating system that can be read and understood by users. While network security tools can surface coaching notifications when users violate a policy in a web-based application, an endpoint footprint is needed to protect against bad behavior in native applications and elsewhere on the computer and show a popup message.

Data lineage

Effective data security requires data lineage because sensitivity depends on context. Knowing the data’s origin and who has interacted with it makes it possible to identify data as sensitive even if it’s encrypted or doesn’t meet traditional classification criteria, such as regex filters. By uniting data from multiple sources – endpoints, network, email, and more – security teams can identify and protect sensitive data no matter where it goes, including whether it traverses endpoints or is modified along the way. Data lineage also enables the back-testing of policies mentioned above and ensures that policies are accurately implemented going forward.

Unified Platform

Data’s movement spans multiple endpoints, services, users, and more. So should the software to secure it. Understanding which policies should be applied to data requires the holistic view provided by data lineage, which requires information from many different sources and devices. With one policy engine and complete data lineage, your security teams can understand how data flows, detect and stop risky behavior, accelerate internal investigations, and stop exfiltration anywhere.

This approach is called Data Detection and Response (DDR), and we pioneered it at Cyberhaven. We combine the functionality of traditional data security tools in one experience that not only outperforms in each category but is more effective than the sum of its parts. We developed an architecture that achieves complete visibility of your data, including as it transits unmanaged cloud apps and unmanaged devices.

If you’re ready to learn more about protecting data, educating users, and lowering overall risk, click the link below to connect with one of our data security experts.

‍