Do the hard thing. Breach Response & Notification Planning:
When should executives provide employees Internet Security Awareness Training (ISAT), when should employees report they suspect a breach has occurred or may be occurring, and what tools/applications can manage this process?
The answer to these first two questions is simple: ‘Early and Often’. Getting your team to recognize & report security issues quickly is something that’s important for your business…
You might think that with so many security tech tools, you’re covered. You’re not. Why – you ask? According to security researchers at IBM and the Cyber Security Intelligence Index, 95 percent of successful hack attacks or incidents were because of some type of human error. Your employees are your first line of defense against Cyber Criminals, and they’re irreplaceable when it comes to spotting and reporting security threats. If left untrained, they become your greatest risk.
If your employee receives a phishy-looking email that appears to be from a trusted supplier AKA ‘Spear Phishing” asking to change wiring instructions for payment. They should be trained to understand unexpected changes in payment address or wiring instructions are common methods of subterfuge used by cyber-criminals to steal funds from businesses.
If the employee brushes it off or thinks someone else will handle it, that innocent-looking email could lead to a massive data breach, potentially costing your company big bucks.
The truth is, less than 10% of employees report phishing emails to their security teams. Why?
- They might not realize how important it is
- They’re scared of getting into trouble if they’re wrong
- Or they think it’s someone else’s job
Plus, if they’ve been shamed for security mistakes before, they’re even less likely to speak up.
They might not know what a security threat looks like or why reporting it is crucial. This is where education and formalized Internet Security Awareness Training AND ISAT tools come in to play i.e. KnowBe4, BullPhish ID and Cofense. This software can be as inexpensive as a few dollars per-user, per month for licensing. The larger and equally essential expense is your management and human resource staff’s time to 1) Help implement the phishing simulation/testing, customize and recurrently tweak the language/testing plan. and 2) Reconcile and where-appropriate, document problematic behavior of users found to be failing the ISAT tool’s testing. This means staff that underperform on the testing i.e. click on malicious links and regularly don’t report suspect emails, need engagement from management including more testing, feedback and support to help them reduce risk.
Nothing is more important than your creating a culture of awareness and diligence up and down your organizational chart. Visibility & consistency is achieved through your communications, recurrent reminders and the tools like BullPhish ID and KnowBe4. Informing new employees and contractors of your ISAT tools and prioritization of security as part of new-hire orientation, is essential. Please also consider this topic as a recurrent message at all-hands meetings or other major staff summits. Cyber security training should ideally be an engaged and interactive experience. In your staff interactions, include real-life examples and scenarios to show how a small issue can snowball into a major problem if not reported. While ISAT Tools provide user testing via a variety of faux ‘malicious’ emails, and employee training videos, it also enables tracking of whomever has taken the training.
Even if your employees want to report an issue, an unnecessarily complicated Breach Notification reporting procedure can stop the protocol from being as effective. Make sure your reporting process is as simple and straightforward as possible i.e. Direct to Senior Management and/or Security Officer vs Direct Manager & up a chain. Make this process as free of recrimination as possible. Rest assured, if staff are punished for a first offense, or before receiving training or a mature security policy, it will be difficult to foster greater communication down the road. If you need to know what technical and operational steps are required immediately after a confirmed breach, our technical staff can advise on the the required planning, and also assist with any emergency remediation and system restoration.
Make sure everyone knows exactly how to report a perceived issue. Cover that topic at new hire orientation, specify it in the employee handbook and also some type of recurrent messaging for 1099s and employees. These regular reminders and clear instructions can go a long way. And when someone does report something, give them immediate feedback. A simple thank you or acknowledgment can reinforce their behavior and show them that their efforts matter. Not responding to notifications has the anticipated dampening effect on future reporting frequency and enthusiasm.
Succeeding with an effective Breach Notification and response execution is in-part about creating a culture where reporting security issues is seen as a positive action. If employees feel they’ll be judged or punished, they’ll keep quiet. Leaders in your company need to set the tone by being open about their own experiences with reporting issues. When the big boss talks openly about security, it encourages everyone else to do the same.
Much larger organizations i.e. many hundreds/thousands of employees may consider appointing security champions within different geographies or departments. These are your go-to people for their peers, offering support and making the reporting process to the C-Suite, Information Security Officer or their designee less intimidating. Keep security a regular topic of conversation so it stays fresh in everyone’s minds.
Also, celebrate the learning opportunities that come from reported incidents. Share success stories where reporting helped avoid a disaster. This not only educates but also motivates your team to keep their eyes open and speak up. By making it easy and rewarding for your employees to report security issues, you’re not just protecting your business; you’re also building a more engaged and proactive workforce.
Implementing Internet Security Awareness Training software and programs is something that can be taken care of quickly and inexpensively. If we can help price the ISAT tools or help you install and configure them, please get in touch.