Incident Reporting: Why It’s Important and What Should Be Reported
How to take action when a security incident occurs
Incident Reporting and You
The physical and digital workplace faces more threats now than perhaps it ever has. With more threats comes an increased frequency of security incidents. Learn why you should say something when you see something.
What Is A Security Incident?
An incident is a situation in which regular systems and policies are compromised and protective measures around them fail. Such an incident puts an organization’s well-being at increased risk.
While “incident” sounds formal, any number of big or small events can count. These can include:
- A full-scale malware attack
- Loss of a PC or memory stick
- An employee having unauthorized access to sensitive information
- Getting and/or clicking on a phishing email
- Sensitive information left exposed on someone’s desk
An incident doesn’t necessarily guarantee that an associated harm, such as a data breach, actually will happen–especially if employees learn to spot and report threats quickly.
Who Is at Risk of an Incident?
Unfortunately, everyone is at risk of an incident. There are certain obvious targets, such as senior executives, developers working on proprietary products, managers who authorize financial transactions, and those who work with regulated data like health information.
But mistakes and accidents can happen to anyone.
What’s more, attackers have become adept at navigating their way to high-value targets by manipulating people in their extended circles, such as coworkers, executive assistants, team members, and even third parties.
Social engineering techniques like spear phishing often involve in-depth research on the part of the attackers to mine target’s personal details so that their outreach appears legitimate.
Or, a single user clicking on a bad link or visiting a dangerous website can trigger an attack that spreads malware into the corporate network.
Even if an individual doesn’t directly handle sensitive company or customer data, they can still be a conduit for attackers to reach it.
Research shows business size doesn’t matter when it comes to who is vulnerable.
In fact, Verizon’s 2019 Data Breach Investigations Report found that 43% of cyber attacks target small business. Furthermore, the Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses report reveals that only 28% of small businesses rate their ability to mitigate threats, vulnerabilities, and attacks as highly effective.
What Might a Security Incident Look Like?
From social engineering scams to improperly collected personal data, there are many risks that every organization faces. Any one of them could bring negative effects to the company or even to specific employees.
While many companies do institute protective systems like firewalls, secure networks, and even VPNs, those defenses can only do so much in an era of continual, sophisticated attacks. Here are some examples of what a security incident might look like, both in the cyber and physical realms:
These can take many forms and can span a variety of electronic devices and platforms. Be careful when using laptops, mobile or removable devices, unknown networks, and even cloud platforms where so many of today’s files are stored and shared. Some of the most common types of cyber incidents and attacks include:
- Emailing sensitive data to unauthorized people, within or outside of the organization
- Allowing sensitive access to unauthorized people, within or outside of the organization
- Visiting risky websites
- Malicious insider threats
Although cyber incidents are likely top of mind, the risk of physical incidents cannot be overlooked. The negative impacts of these can be as significant as impacts from a phishing scam or cyberattack.
It’s important to be just as careful when handling sensitive information in a physical context. Some of the most common physical security incidents include:
- Unescorted visitors in the workplace
- Using unsecured public Wi-Fi
- Eavesdropping or shoulder surfing (intentionally or unintentionally)
- Loss or theft of devices or documents
- Sharing sensitive information with unauthorized individuals
- Using personal devices for company business
How Often Do Incidents Happen?
The true number of security incidents is difficult to determine, as industry research suggests many aren’t reported.
According to ISACA’s State of Cybersecurity 2019 report, 75% of certified cybersecurity professionals believe that actual instances of cybercrime are intentionally suppressed. And 50% believe that cybercrime is underreported even if the affected enterprises are legally required to report it.
Also, the Kaspersky Labs State of Industrial Cybersecurity 2019 report claims that 67% of industrial organizations don’t report cybersecurity incidents to regulators.
This means the already concerning incident statistics we see published by governments and businesses likely paint a rosier picture than reality.
There are several reasons why incidents would not be reported.
For one, the people involved may not recognize an incident when it happens. They may notice something unusual but think it’s no big deal. Or, they may fear negative consequences if an incident has to do in some way with their behavior. Also, organizations may want to avoid regulatory penalties or hits to their market reputation that could come from negative publicity.
But sometimes, employees simply don’t know what to do if and when an incident occurs.
Why Is it Important to Report Incidents to the Security Team?
It’s everyone’s job to protect the workplace and the organization from the impacts of a cyber security incident. This includes economic, legal, reputational, or even physical harms that could occur from theft, breach, ransomware, denial of service, or other kinds of attacks.
Regardless of how minor an anomaly might seem, it’s important to report incidents to the company’s security team so they can investigate possible risks. That team is of course responsible for establishing security policies and protocols for the organization and making sure that all employees are aware of them.
But the security team can’t be everywhere. That’s why it’s critical for all employees to act as the eyes and ears of the organization and report incidents if they occur.
Even if something doesn’t seem like a big deal to you, security professionals know to look for clues and breadcrumbs that non-tech savvy people likely won’t.
Read three reasons why a security awareness training component promoting the importance of reporting potential cybersecurity or data privacy incidents is crucial.Read Blog
What Are Employees’ Responsibilities Regarding Security Incidents?
Many employees handle protected data as a normal part of their jobs. In doing so, the employer who entrusts them with that responsibility, and the employee in accepting it, are both committing to secure practices.
Understanding your data will help you know if information has been compromised and a security incident has occurred.
But certain incidents aren’t obvious and might be overlooked. Or sometimes, people just make mistakes.
Suppose you accidentally click on a phishing link and a ransomware message pops up on your screen. Or you lose a memory stick that has company files on it. When a security incident that could compromise sensitive data occurs, seconds matter and fast action is needed.
Everyone gets busy, but we can never be too busy to sound the alarm–it might be critical to the company’s well-being. With the proper procedures, reporting an incident might only take a few minutes, but it could be one of the most important things an employee can do.
Even if you’re not 100% certain an incident has occurred, trust your intuition if you think it might have. Play it safe, and report suspected incidents as quickly as possible.
What Should Happen Once an Incident Is Reported?
When a security incident is reported, a full-scale response, pre-determined and documented by the security team, should begin. This process should include:
- An investigation into the nature and circumstances of the incident
- Implementing technology and/or physical controls to prevent further damage or future risks
- Preparing the organization’s legal and public statements
Executing the response needs to be a team effort between the security team and the rest of the organization. Individuals needing to report an electronic or physical security incident should have both easy access to the company-approved procedures for doing so and know to refer to them.
While a specific individual may not play a designated role in a formal response process, there are still some important actions they can take to help minimize an incident’s damage. These can include but are not limited to:
- Writing down notes to include in the incident report
- Isolating their computer or device from the company network
- Notify security or designated coworkers when they see unknown people in the building
- Helping quell coworkers’ potential impulses to post information about incidents on social media, share information via email, or speak to the press
While reporting an incident is hopefully an infrequent thing, these actions may be some of the most important an employee ever takes to ensure the continued well-being of their organization.
The shared responsibility of incident reporting makes everyone in your company a vital part of the security posture. That means training about what comprises an incident and your organization’s response procedures should be part of any security awareness training initiative.
Learn more about our incident reporting security awareness course designed to contribute to a more secure workforce.Learn More
Watch this on-demand webinar to learn how to equip your employees with the knowledge to get and stay compliant with the CCPA and beyond.
Learn what the average U.S. employee knows about data privacy best practices with our 2019 Eye on Privacy Report.
Explore the current state of employee knowledge in cybersecurity and data privacy with our State of Privacy and Security Awareness Report.