How to Create a Culture of Incident Reporting

Written by

The most underrated and undervalued aspect of an effective threat detection and response strategy is people. Let’s understand why incident reporting is so important from a people perspective and how security culture plays a major role in an organization’s security posture.

You Need a Culture of Incident Reporting

At least 41% of cyber-attacks start with phishing, and 74% of breaches can be traced back to human error. Since employees are on the front lines of these risks, they must develop a habit of reporting suspicious activities since doing so can immensely bolster threat prevention. Moreover, incident reporting helps security analysts identify patterns, vulnerabilities and common attack vectors.

This knowledge equips the organization to proactively deploy protection mechanisms, improve security processes and plug security loopholes. Organizations can use this knowledge to spread awareness about common security errors in the workplace, which can further reduce security incidents and reinforce the value of reporting. 

Incident reporting also helps boost the overall culture of security. Employees who are encouraged to report security incidents feel more responsible, accountable, and invested in keeping a safe workplace. As a result, they are more likely to follow security policies, processes and best practices.

Culture is infectious. If employees see how coworkers are behaving, they lean into reporting incidents more proactively. Certain industries have legal requirements for incident reporting. Complying with these obligations helps businesses avoid costly fines and legal entanglements and ensures the safety and privacy of employees and customers. 

How to Create a Culture of Incident Reporting

Building a culture of incident reporting requires the commitment of leadership and other stakeholders. Below are important steps that can help foster a culture of incident reporting:

  1. Ensure Leadership Commitment. Culture is usually top-down and not bottom-up. Leaders must “walk the talk” and demonstrate a real commitment to cybersecurity. They must actively encourage employees to report incidents and do so themselves. They must explain to employees that security is not just an IT risk but a legal, financial, privacy and business risk.
  2. Establish Clear Rules, Policies and Procedures. Provide clear and transparent incident reporting guidelines and procedures that include the expectations, responsibilities and appropriate channels for reporting incidents. Ensure such policies are easily accessible to employees and that appropriate training is provided. 
  3. Make Reporting Simpler. As employees go about their daily routines, many may not remember how to follow procedures. This is why making it easy and intuitive for employees to report incidents using channels they’re comfortable with (e.g., email, chat, text, etc.) is important. Studies show organizations that deploy “report phishing” buttons within their email clients demonstrate a 30% lift in reporting rates over companies that don’t. 
  4. Reinforce with Training. Employees may not fully comprehend the value of incident reporting or be aware of reporting processes or the resources available. Everyone must know what, where and how to report suspicious emails, hyperlinks, files, domain names, queries, etc., pointing to the need for regular training as a reminder. 
  5. Facilitate Anonymous Reporting. Some employees might hesitate to report incidents due to fear of reprisal, disciplinary action, negative consequences or job loss. Facilitating anonymous reporting helps reduce anxiety, makes reporting less burdensome and promotes an open and non-punitive environment.
  6. Go Beyond Compliance. If reporting processes are intended for compliance purposes only, employees will likely keep efforts to a minimum. Instead, try creating a culture where people are encouraged to come forward and make a difference. For example, when conducting simulated phishing tests, don’t just compare click percentages but praise those who consistently do well on phishing tests to spread the word and encourage participation.

  7. Get Feedback and Follow Up. Security teams must establish a feedback loop for acknowledging and responding to incident reports submitted by employees. They should acknowledge their efforts and communicate the next steps and outcomes. This helps demonstrate how their reporting is valued and taken seriously and contributes to a larger cause.

Leveraging people, processes and technology is key to building a strong culture of incident reporting. By promoting the idea of shared responsibility, organizations empower users and significantly boost the ability to detect, respond and recover from cyber-attacks, building a resilient security posture that will pay dividends in the long run.

What’s hot on Infosecurity Magazine?