Why Every Employee is a Vital Part of Security Incident Response
Security incident reporting is every employee’s responsibility. Here are some strategies for making them feel like part of the team.
What do CEOs and first-day employees have in common?
They both have the responsibility to report suspicious emails, accidental clicks, and instances of lost or compromised data within your organization.
Unreported incidents like these can mean lost revenue, hefty fines, and perhaps most serious of all: irreparable harm to your organization’s reputation.
A sound incident reporting infrastructure and accompanying policies are a vital part of any cybersecurity strategy.
But such a process can’t get off the ground without employee buy-in, from all levels.
This blog post will walk through what makes a reportable security incident and the important role employees (ideally well-trained employees) play in your incident reporting and response strategy.
Incident Reporting Defined
Incidents can be any number of big or small events; from a full-scale malware attack to the loss of a PC or even data left exposed on someone’s desk.
No one is immune from the possibility of an incident affecting them. Mistakes and accidents can happen anywhere.
Attackers are also now quite adept at navigating their way to high-value targets by manipulating people in their extended circles, especially through social engineering techniques like spear phishing.
Unfortunately, industry research (such as ISACA’s State of Cybersecurity 2019 report and trends noted by Cyber Defense Magazine) suggests many incidents go unreported, and so don’t get resolved, often until it’s too late.
There are several reasons why incidents wouldn’t be reported:
- Employees who are involved may not recognize an incident when it happens
- They may notice something unusual but think it’s no big deal
- They may fear negative consequences if they were in some way responsible for the incident
- Sometimes employees simply don’t know what to do if and when an incident occurs
4 Ways to Make Employees Part of the Team
This is where the security team and their leadership need to provide guidance and encouragement.
The security team is of course responsible for establishing the organization’s security policies and protocols.
But because that team can’t be everywhere, they need to ensure all employees are aware of those protocols and know how to use them.
Here are some tips for bringing every employee into the fold when it comes to incident reporting.
1. Convey Cause and Effect
First, make sure every employee understands that security is a shared responsibility, and that they have a role in it. Often employees aren’t aware that innocent or accidental behaviors may introduce unexpected consequences.
For instance, sensitive records may accidentally be exposed by housing them in the wrong online location or sharing them with unauthorized coworkers. Or, employees may click on links or emailed attachments that look legitimate but may actually be malicious.
Employees should also report instances of inappropriate information-sharing with external parties by others in the organization and feel safe reporting insiders with known malicious intent.
Any of these incidents could result in financial, operational, reputational or other harm to the organization. There could also be harm to individuals, like being a target of spear phishing, identity theft or even personal theft in the workplace.
Whether it’s a cyber-event or something in the physical environment, be sure to clarify the what, why and how in all of your security awareness training initiatives.
2. Explain What’s In It for Them
If an employee makes a mistake that results in a security incident, they should be made to feel comfortable reporting it immediately rather than fearing retribution.
Knowing the approved processes and procedures to do so is part of this, but the “safe space” needs to come from the top down. Leaders should foster a security-minded culture by setting the example and discussing security openly.
It’s important that everyone understands the collective responsibility to keep the organization, themselves and their coworkers safe.
3. Stress Urgency
When an incident that could compromise sensitive data occurs, seconds matter and fast action is needed.
Everyone gets busy on the job these days, but we can never be too busy to sound the alarm, even if an anomaly seems insignificant. With the proper procedures, reporting an incident should only take a few minutes anyway.
When a security incident is reported, a full-scale, pre-determined, documented and approved response should begin. It should include an investigation into the nature and circumstances of the incident, implementing technology and/or physical controls to prevent further damage or future risks, and preparing the organization’s legal and public statements.
All employees don’t need to know the details of your incident response process. But they should be well versed enough to understand that timing is crucial.
4. Simple Actions, Big Impact
Executing the response needs to be a team effort between the security team and the rest of the organization.
While a specific individual may not play a designated role in the formal response process, there are still some important actions they can take to help minimize an incident’s damage.
For instance, they can:
- Write down notes to include in the incident report
- Isolate their computer or device from the company network
- Notify security when they see unknown people who may be in the building
- Help quell coworkers’ potential impulses to post information about incidents on social media, share information via email, or speak to the press
While reporting an incident is hopefully an infrequent thing, these actions may be some of the most important an employee ever takes to ensure the continued well-being of their organization.
The shared responsibility of incident reporting makes everyone in your company a vital part of the security posture. That means training about what comprises an incident, and on the right incident response procedures for your organization, should be part of any security awareness training initiative.
Learn More About MediaPRO's Incident Reporting Training
Available in multiple TrainingPacks, our incident reporting security awareness training gives your workforce the tools to be proactive defenders of your organization’s sensitive data.Learn More