This blog focuses on why you need to develop an incident reporting culture and how to do it.
It may seem a little defeatist to spend precious IT time and resources planning how you might respond to a data breach, but in fact it is simply realistic.
Even the UK’s National Cyber Security Centre acknowledges that it is impossible to protect against everything that might happen.
And when something does happen, it is best to be prepared – so your teams know how to respond and everyone understands their responsibilities. This means crafting a detailed incident response plan. Ideally, this should include detailed response playbooks to address the different types of cyber threats.
Developing incident response plans in advance is important because the sooner you can respond, mitigate and remediate threats, the less damage they can do and the less risk to your organisation. Similarly, identifying incidents early is critical to your success.
Staff are going to be one of the key sources of information about cyber security threats – whether that is reporting a suspicious email they have received, letting you know when they have clicked on a dodgy link, or advising you when the right processes aren’t being followed.
Because you are relying on your staff, creating an environment where everyone not only feels safe in reporting potential problems or threats, but actively welcomes their responsibility to do so, can be a huge boost to the success of your cyber security incident response.
If staff don’t feel comfortable reporting everything that might be relevant to the cyber security team, incidents and threats are going to be missed. Apportioning blame, ridicule or negative or punitive responses stifles communication and openness about potential threats. This stymies opportunities to respond quickly – or at all – and reduces opportunities to learn from events or to prevent them from happening in the future.
It’s vital to create a culture where people feel free to report anything that happens – even if it is their own actions which have caused the issue.
So how do you create an incident reporting culture where everyone is focused on what is best for the organisation rather than on protecting themselves?
Culture change depends on leadership and communication.
First, the processes must be in place to make reporting easy and accessible. These processes should then be communicated widely and clearly throughout the organisation, so everyone knows how to report a breach. And does so – immediately.
The emphasis should be on reporting concerns as quickly as possible for the benefit of the organisation.
Engage people with the process. Investigate fairly. Talk to everyone involved and explore the incident as it unfolded. Don’t judge on outcomes. Ensure that everyone understands this is an opportunity for improvement.
For those who do report an incident and others involved, have processes in place that ensure they are kept abreast of how the incident has been responded to, including progress and actions taken.
Communicate more widely throughout the organisation about the successes. Incident reporting should be an anonymous process, but that doesn’t prevent you from sharing details about the response, remedial action and celebrating success: whether that’s the reporting of a threat, the offer of new cyber awareness training opportunities, or successful mitigation. Wherever possible, highlight the benefit of early reporting.
Roll out training, if required, in response to incidents. Celebrate this as a learning opportunity. And walk the walk in your own team too: feed the IT team’s learnings about every response into your incident response plans.
When people can see the organisation improving as a result of their ability and willingness to speak openly, this will reinforce the development of a positive incident reporting culture.
Would you like help and advice about incident reporting, developing incident reporting plans and processes or nurturing a positive incident reporting culture in your own organisation? The Grant McGregor team are on hand to assist.
How should you respond to an IT breach? Read our blog here.