Manufacturers: Get Ahead on Cybersecurity Before it’s Too Late
Blog

Strengthening Security and Compliance with Incident Reporting

CPAs & Advisors


Whether it is reporting a phishing email or something that might be illegal that a coworker is doing, your employees should be a strong line of defense for security and compliance.

According to Gartner, almost 60 percent of all misconduct that is observed in the workplace never gets reported. For decades both compliance officers and security leaders have known that the earlier employees report incidents, the lower the risk. Yet low reporting rates continue to be a problem. 

One of the top cybersecurity incidents is phishing, so most organizations are using simulated phishing attacks to test not only who will click on these attacks but also who will report this as an incident using the reporting procedures. From results published in early 2022, F-Secure did a test with four multinational organizations to send a simulated phishing attack to more than 82,000 workers. Two of the companies that did not have an easy way to report suspected phishing attacks had an average reporting rate of less than 15%, while a third company that did have a phishing alert button had a 45% reporting rate.

See Something, Say Something

Incident reporting for compliance and security is related to the culture within an organization. If you feel as though you are going to be listened to, you will report it. Reporting also should be easy with reminders of how to report. 

According to Perry Carpenter in his book “Transformational Security Awareness,” three fundamental questions are the framework for incident reporting.  

  • “Why”is the messaging on the importance of incident reporting
  • “How” is making the incident reporting process as simple as possible
  • “What” is your “See something, say something” communication and education campaign that combines the first two 

Incident Reporting Is Everyone’s Responsibility

It’s critical that you remind everyone at least monthly about the reporting process.  For phishing, this would be a simulated phishing campaign monthly for most organizations. Think of it like a fire drill and practice for reporting. Also, don’t just look at click percentage but celebrate those that do report. 

For compliance training programs, don’t be afraid to be redundant. Remember to think like a marketer – they constantly remind us of their products, so we need to be persistent in our reminders when it comes to security and compliance training programs. 

Incident Reporting and Security Culture

If you are just checking the compliance and security boxes with your program, employees will likely only do the minimum, too. Some of the most successful organizations are teaming up security and compliance into a collaborative workstream to reinforce the message that it’s not just the compliance officer or the security team that wants you to come forward – the entire organization does. This approach, with monthly training, can have a serious impact on reporting across the board with a subsequent reduction in risk.

Information used in this article was provided by our partners at KnowBe4.

Want To Learn More?

Connect with one of our professionals today.