“If you see something, say something”, is the motto of the Department of Homeland Security. It’s a motto that is also highly relevant to ensuring that our systems and data are secure. In order to have an effective cyber security program, you need eyes and ears everywhere.
All staff members of staff need to be involved, as the IT department simply doesn’t have the resources to be able to identify every security incident that takes place on their network. Before we go any further, let’s clarify what is meant by a “security incident”.
A security incident could be anything from a malware attack, to an employee clicking on an email from an un-trusted entity. It could be someone losing a USB drive that contains valuable company data, or someone gaining unauthorized access to sensitive data through some means or another.
The important thing to note is, a security incident is anything that either has, or could have, put our critical systems or sensitive data at risk. For example, we wouldn’t tend to think that an employee sticking a post-it note to their computer monitor with password on it, or an employee sharing their credentials without another member of staff, would be classified as an incident, as it’s likely that no harm was done.
However, for all intents and purposes, these are indeed security incidents. Of course, it would be unrealistic to expect somebody to report a colleague who was also a close friend, however, we should at least encourage them to communicate with each other, when they see a potential security risk.
Why is it Important to Report Security Incidents?
There could be very serious ramifications for failing to so. There could be a significant loss of trust in the business, thus resulting in a loss of revenue. There could be legal implications, such as lawsuits and large fines. In some exceptional cases, a security incident can result in actual physical harm. This is especially true when it comes to cyber-attacks on the healthcare industry.
As you probably know, healthcare service providers frequently fall victim to Ransomware attacks, and it’s possible that these attacks could have been avoided, had someone reported seeing a suspicious email. Hackers have also been known to tamper with vital medical equipment, such as ventilation systems. And of course, suffering a security incident of some kind, can lead to emotional distress, for all parties involved.
Who is Most Likely to Facilitate a Security Incident?
Let’s face it, accidents happen, and they happen to all of us. The victim (or perpetrator, as the case may be), could be someone from accounts or HR. They could be a web developer, or just a regular employee.
Although less likely, a security incident could even be caused by a senior IT security officer. We all have our off days. That said, it really depends on the type of company, and the attacker’s motives. If it is a Ransomware attack, the attacker will target organizations that are most likely to pay, and most likely to pay large sums of money. They will also try to target the weakest link, which is usually a regular employee.
If it is a Business Email Compromise (BEC) attack, they will likely target the accounts department, or whoever is able to authorize financial transactions. Attackers often use a technique called “spear phishing”, which, as the name suggests, is designed to target specific individuals in a company.
The attackers will often spend time researching their victims before initiating an attack. In terms of the size of the business, it doesn’t really matter. According to the Verizon, 2019 Verizon Data Breach Investigations Report (DBIR), 43% of cyber-attacks target small businesses.
What Are the Most Common Security Incidents to Look Out For?
While there are many different security incidents that could potentially unfold, such as Man-in-the-Middle (MitM) attacks, DDoS, SQL Injection, XXS, and so on, these types of incidents will not be detected and reported by regular employees. In the case of a successful DDoS attack, for example, employees will only find out when they’re unable to access the company network. In the context of reporting incidents, we need to focus more on the behavior of our employees. The most common types of insider threat include:
- Emailing sensitive data to the wrong recipient
- Employees downloading malicious attachments, or visiting malicious websites
- Employees accessing sensitive data, without proper authorization
- Employees disclosing their credentials by accident
- Employees sharing their credentials with other members of staff
Physical Security Incidents
Of course, not all data security threats originate online, and so we must also be vigilant when it comes to identifying and reporting physical security incidents that we see in the workplace.
While a physical security incident could be an unauthorized member of staff entering the server room, it can also include other, less obvious incidents, such as unsecured public Wi-Fi hotspots, perhaps in the canteen or lobby. Or the use of unauthorized personal devices in the workplace.
However, prohibiting the use of personal devices in the workplace would not only be a very unpopular move, but it would be practically difficult to enforce. Providing these devices aren’t being used to connect to the company network, it shouldn’t be that much of a problem.
Are Incidents Being Reported Often Enough?
The short answer is, no! According to a 2019 report by ISACA, “half of all survey respondents believe most enterprises under-report cybercrime, even when it is required to do so”. There are a number of reasons why both employees and organizations may be reluctant to report security incidents.
It’s often the case where people notice a security incident, but don’t believe that it’s worth reporting, as it doesn’t seem like a big deal. Of course, it might not be a big deal, but lots of incidents that are not a big deal, can quickly turn into an incident that is a big deal.
In some cases, people fail to report incidents for the exact opposite reason. For example, both the employer and the employee may fear the consequence of reporting a security incident, in case it turns out to be a big deal.
The employee will be concerned about potentially losing their job, assuming they were responsible for the incident in some way. And the employer will be concerned about the reputation of their company, and the financial and legal ramifications of disclosing information about a security incident.
In some cases, people simply don’t know how to report security incidents. They either haven’t been informed, or don’t remember being informed, about the protocols to follow in the event of an incident.
As you can see, it’s a catch-22 situation. People don’t want to report security incidents, in fear of the consequence of doing so. Yet, a failure to report security incidents will inevitably increase both the likelihood and severity of the next security incident. This is essentially what needs to be explained to both employers and employees. It goes back to the old adage that honestly is the best policy.