Phishing is one of the most common reported threats, but less than 10% of the workforce actually report phishing emails when they receive one.And with the ever-evolving threat landscape – hybrid working, complex supply chains, and sophisticated threat actors – it’s vital your organization can identify and address risks as soon as possible to minimize their impact.Everyone in your organization represents a vital front line to notice unusual activity, report near misses, and respond to threats.So why isn’t the general workforce confident about reporting security incidents?
- They think someone else will do it. Issues will never get reported if everyone thinks like this!
- They worry about being disciplined for doing something they shouldn’t. Having an organizational culture where people feel safe to report issues is vital.
- They don’t think it’s important. People need to understand how crucial it is to report all incidents, issues, and concerns straightaway and the difference this can make.
- They feel uncomfortable reporting concerns. People might doubt themselves or feel it’s inappropriate to raise an issue, particularly if it relates to a colleague’s activity.
We all know how important reporting security issues across an organization is, but the workforce must be empowered and motivated to do so. There are three key areas to focus on to tackle this problem.
Help people understand the threat
Ensure that everyone understands potential security threats and the impact they can have.From phishing emails to potential insiders and individuals tailgating into buildings, there are plenty of scenarios your people need to be aware of and report. Understanding the severity of a potential threat and what you can do about it are key motivators in protective behaviors.The workforce needs to understand the full range of security risks, why it matters, what to look out for, and the crucial role everyone plays in stopping an attack.This is where your approach to education and upskilling comes in. Is it relevant? Is it engaging? Does it give everyone the information and skills that they need?Reporting protects organizations and individuals; we should shout that from the rooftops. It’s crucial that people understand the ‘why’ of what you’re asking them to do. If they don’t, then they won’t!
Examine the process
Have clear, simple reporting mechanisms and ensure everyone knows how to use them.People need the opportunity and capability to easily report incidents, and proactively considering human factors helps here. Think about the design of processes and what you’re asking people to do.Does it take too long? Is it too complicated? Does it integrate with existing work tasks and systems? What’s the immediate response people get to reinforce their actions? Your employees need to know how to report incidents, be able to do it quickly and easily, and feel good when they do. Reduce as many barriers as possible, otherwise, time, competing priorities, and uncertainty all get in the way.
Encourage a reporting culture
Develop an organizational culture where reporting is viewed as positive and people feel happy to challenge each other.A positive and strong security culture should be built on openness, understanding, and learning from incidents, not just assigning blame. Reporting mistakes or concerns should be actively role-modeled from the top of your organization.Everyone makes mistakes; it’s how you respond to them that matters.Actively encourage employees to report anything suspicious without fear of negative implications or uncomfortable responses. Use security champions to reinforce the message and provide initial guidance if people are unsure.Fundamentally, you need your whole workforce to respond effectively when faced with a potential security issue – whether reporting a concern or following advice once an incident has been identified.
How can Immersive Labs help?
Empower your workforce to do what they need to when it matters.Immersive Labs’ Workforce Exercising allows you to regularly upskill and exercise your entire workforce on the security threats they face and how they should respond, giving them the skills, knowledge, and judgment they need.Built with behavioral science at its core, our exercises use data-driven reporting, customizable content, and engaging narratives, providing people with a safe space to work through security decisions and scenarios – whatever their role.As part of this, we’ve recently released a new collection of labs and an accompanying scenario focused entirely on the importance of reporting potential security incidents, mistakes, and concerns.Your workforce wants to help keep your organization secure. You just need to give them the right tools to do so.To learn more about how Immersive Labs can help you build and prove cyber capabilities across your workforce, visit us here.