Whether it is reporting a phishing email or something that might be illegal that a coworker is doing, your employees should be a strong last line of defense for security and compliance.
According to Gartner, almost 60 percent of all misconduct that is observed in the workplace never gets reported. For decades both compliance officers and security leaders have known that the earlier employees report incidents, the lower the risk. Yet low reporting rates continue to be a problem.
One of the top cybersecurity incidents is phishing, so most organizations are using simulated phishing attacks to test not only who will click on these attacks but also who will report this as an incident using the reporting procedures. From results published in early 2022, F-Secure did a test with four multinational organizations to send a simulated phishing attack to more than 82,000 workers. Two of the companies that did not have such an easy way to report suspected phishing attacks had an average reporting rate of less than 15%, while a third company that did have a phishing alert button had a 45% reporting rate. Even though having something in place like our Phish Alert Button (PAB) improves this percentage, we still have a long way to go with reporting incidents if this was a real attack.
See Something, Say Something
For decades now we have been repeating, “See something, say something.” Incident reporting for compliance and security are related to the culture within an organization. If you feel as though you are going to be listened to, you will report. Reporting also has to be easy with reminders of how to report.
Perry Carpenter in his book “Transformational Security Awareness” talks about the, “Why, How, and What?” questions are the basic framework related to Incident Reporting (pp. 45-47). This is great reading and applicable to compliance reporting:
- “Why” is the messaging on the importance of incident reporting
- “How” is making the incident reporting process a simple as possible
“What” is your “See something, say something” communication and education campaign that combines the first two
Perry even suggests modifying the reporting line to “See something, say something. It’s easy and safe. Here is how:...” or this can be modified to “See something, say something. It’s easy and anonymous. Here is how:...” where reporting is anonymous. This reminds me of a marketing call to action and we can learn a lot from marketers here to spur action. It also helps with the anxiety that people generally feel when reporting an incident and positions it as something that is less burdensome, which always helps to get more participation.
Incident Reporting Is for Everyone
Many of us who run compliance and security programs often think, “duh, it’s so easy to call the number or press the report button.” But for those that don’t live it everyday, they don’t even often expect to have to report. They may not even remember where to start. So it’s critical that you remind everyone monthly about the reporting process.
For phishing, this would be a simulated phishing campaign monthly for most organizations, think of it like a fire drill, practice for reporting. Also, don’t just look at click percentage but celebrate those that do report.
For compliance training programs, don’t be afraid to be redundant. If you have annoyed people commenting on your training program survey results, “We know the reporting process already, it’s at the end of every training!” Then you probably actually have the right amount of repetition. Toll free reporting lines and anonymous forms are often underutilized. Remember to think like a marketer - they are constantly reminding us of their products, so we need to be persistent in our reminders when it comes to security and compliance training programs.
Incident Reporting and Security Culture
Having an overall program that feels like you are trying to make a difference in company culture and are encouraging people to come forward is also key. If you are just checking the compliance and security boxes with your program, employees will feel that and likely only do the minimum, too.
Some of the most successful organizations we work with are teaming up security and compliance into a collaborative workstream to reinforce the message that it’s not just the compliance officer or the security team that want you to come forward - the entire organization does. This approach with at least quarterly training campaigns, and more successfully monthly training, can have a serious impact on reporting across the board with a subsequent reduction in risk. This makes sense, because employees in today’s environment have a lot to remember and many data incidents are a combination of cybersecurity and compliance. Deploying a combined approach helps everyone keep things simple.
Ideas we have heard working well are having a shared intranet page with all of the ways to report incidents, cross promoting in communication, and leveraging the “See something, say something. It’s easy and safe. Here is how:...” even when the how is slightly different. Having a more cohesive approach to compliance and security can have an impact on reporting and reduction of incidents as well.