Yesterday I wrote about a five-part strategy to increase the number and quality of incident reports. The fifth part involves making both staff and management vigilant or alert for trouble.
There is an obvious link here to the ongoing security awareness and training activities, pointing out and explaining the wide variety of threats that people should know about. Thanks to this month's NoticeBored content on malware, for instance, workers should be in a better position to spot suspicious emails and other situations in which they are at high risk of picking up malware infections. Furthermore, they ought to know what to do when they spot threats - avoiding risky activities (e.g. not opening dodgy email attachments or links) and reporting them.
In April we have the opportunity to take that a step further. What could or should the organization do to empower (facilitate and encourage) alert workers to report the malware threats and other concerns that they spot? What's the best way to overcome the natural reluctance to speak-up, making 'Keep calm and carry on' seem like the easy option?
There's more to that issue than meets the eye ... making it an excellent open-ended poser to raise and discuss as a group during April's awareness seminars. It brings up issues such as:
- Trust and respect - reporters believing that their incident reports will be taken seriously and in good faith, and recipients trusting that the reporters have a genuine basis for reporting;
- Reasonable expectations concerning the activities to investigate and address reported incidents, following established processes;
- Barriers - the need to overcome inertia and actively encourage, not just facilitate, incident reporting.
In the speaker notes for April's management seminar and in the accompanying management briefing, we will be raising a few issues along those lines but our aim is to prompt or kick-start the discussion in the particular context of a specific customer organization, not to spoon-feed them with the whole nine yards. Each of our lovely customers is unique in terms of their business situations - their industries, locations, cultures, maturity levels, objectives, risks and so on. They got wherever they are today by their own special route, and where they are heading tomorrow is down to them. We believe incident reporting is probably a valuable part of their journey but exactly what part it plays we can't say: they need to figure that out for themselves.
Providing valuable, informative and stimulating information security awareness and training content for a wide range of customers is an 'interesting' challenge. It's the reason we deliver fully-customizable content (mostly MS Office files that customers can adapt to suit their circumstances) and try hard not to impose solutions (e.g. our awareness posters are designed to intrigue rather than tell). That said, information risk and security is clearly our passion and we make no bones about it. We are evangelical about this stuff, keen to spread the word and fire people up. It's what we do.