Some insist on the contrary, but any of your colleagues can be a valuable contributor to your company’s security efforts. An example is when you do not have systems, rules or training to cover an unforeseen event, but people improvise to stay both as productive and secure as possible. Risk-based trade-offs like this happen a lot – although people will not necessarily tell you when it happens – but that’s how business gets done. Another example is when people report incidents (or potential ones), allowing your organisation to improve and become more resilient to cyber-attacks.
A quickly reported incident can also allow specialised staff to stop and resolve an on-going data-breach before consequences escalate. In fact, reporting of incidents becomes a highly critical aspect of security and business these days: The upcoming General Data Protection Regulation (GDPR) requires your company to notify supervisory authority within 72 hours, in case of a data-breach involving personal data.
There are however two critical parts needed to take advantage of security reporting:
- That people are willing and able to report
- That the organisation is willing and able to learn
If you have ever wished that people would just report more, you are not alone. And unless a lack of incident reports is a sign of perfect compliance, there is great value in continuously seeking knowledge about irregularities to learn and improve from. It is, after all, possible to increase the rate of security related reporting, although the effort must be focused and well founded in your organisation.
Sidney Dekker, a professor at Griffith University in Australia, is known for his work in human factors and safety research. Several ideas and findings from these research areas are also relevant for cyber security. In one of his books, “Just Culture”, Dekker writes about how to encourage employees to report. Based on this and related work, I have picked out four measures to learn from organisations having a mature culture for reporting, and bridged them towards security.
Mitigate negative impact of reporting
Reporting should not cause trouble for the person who produces the report. If there is much additional work attached to reporting and following up on it afterwards, some may leave an event in silence. Line managers in particular, may receive a report and silently agree with their subordinate that it was simply a matter of “human error”, and leave it by that. When this is the case, there is no way for the organisation to learn from it, and people may believe it is okay to cover up incidents. But the situation is worse if people believe that reporting involves a risk of getting blame, stigma and trouble – or even punishment. If an employee misplaces sensitive information on an unencrypted USB-stick somewhere, do you want to blame this person and give a reprimand, or do you actually want to fix the problem as soon as possible? Over time, you can’t have both.
So, are punitive responses never appropriate – are end users never at fault for security failures? Well, blame-free does not mean you cannot be held accountable, although there are indeed better alternatives to punishment. Dekker emphasises that accountability means getting people actively involved in creating a better system to work in, which also includes an organisation open to learning. Therefore, you could begin to ask why it was necessary to put that sensitive information on a USB-stick anyway. Learning from this event requires listening with empathy. And maybe the problem wasn’t the employee’s after all, but a lack of technical support or training for the policy on managing sensitive information? The situation should then be improved for all employees going onwards.
Highlight positive impact of reporting
People want a good workplace, and they will usually appreciate an opportunity to influence it. If they experience that reporting does in fact contribute to the better, it will soon become a valuable cultural aspect of the organisation. For cyber security, it means that everybody knows that reporting suspicious events will help the company protect itself against criminals. This may have to be stated explicitly, but it can also be as simple as this. If anyone flags something as suspicious or reports that an incident has happened, their engagement should always be welcomed. Do not get annoyed by false positives – most people aren’t information security professionals – but many can spot a scam when they see it. This is indeed useful, and may strengthen the company’s resilience on behalf of those who do not. It also means that if something is reported, it will be taken care of and not just put in a bin.
If compliance with policy is impossible for some aspect, you would like to know so that the incompliance can be fixed. Both improving the systems supporting it, or by changing the policy, are visible outcomes. Moreover, they both allow the reporter become actively involved in the improvement process. This exercise is also good for IT staff to be concerned with user experience, and getting to know their end users. Positive user involvement creates credible “wins” for a part of the company often associated with paranoia.
Minimise anxiety for reporting
It may be difficult to define precisely what is an incident. This is sometimes reason enough for people to decide not to report what has happened, because they don’t want to cause any trouble. Dekker still clearly states that reporting must be voluntary. If reporting is mandatory, it would mean that the organisation claims the right to say what is worthy of reporting. Explicit rules would either become too specific, or too general to work in practice.
Although anonymity can be required for reporting certain irregularities, the opposite is usually required for following up on concrete security events. Norwegian Air Law actually states that reports cannot be used as evidence in criminal proceedings against the persons providing the evidence. This is to ensure that information does not get lost due to anxiety of repercussions. If an incident was never reported, but later discovered, an employee not having reported it may leave room for an impression that the person wanted to cover up the issue. On the other hand, being transparent and reporting a problem as soon as possible, will effectively transfer responsibility of the situation from the employee to the organisation. This aspect is well worth emphasising towards your colleagues.
Maximise accessibility for reporting
Regardless of incident, it must be easy for employees to report. Whether it is an email address, a person that everybody knows (for certain), or a dedicated software tool, it should be readily available to everyone when it is needed. Most people don’t report incidents very often, so the user experience of reporting must be excellent.
“Without reporting, you simply do not know what is going on.”
I’ve previously written about why blaming people for security failures is useless. Business is never 100% without risk anyway (if it was, it wouldn’t cover costs for security). In the same way, we cannot implement rules or systems to cover 100% of unwanted events. There is a saying in medicine, that; “excellent surgery makes dead patients” – i.e. flexibility is essential. This is also valid in our business, and people must be able to improvise sometimes – we just need them to be open about it, and support them better every day.
Without reporting, you simply do not know much of what is going on. Some aspects here can definitely be trained, and people will be happy to learn when the dialogue goes both ways. And since the digital landscape is so unpredictable, we depend on people’s ability and motivation to help secure our business over time. Luckily, nobody is against security, and most people are happy to help.