Why Security Incidents Often Go Underreported

If you saw a coworker browsing through a database they weren’t supposed to have access to, would you report it? What would you do if you accidentally clicked on a link in a phishing email?

Most people would say they’d do the right thing and let the IT or security team know. But saying you’d do the right thing is very different from actually following through. A recent study from ISACA showed that employees are underreporting security incidents, even when reporting is required. In addition, security professionals don’t always trust their team’s ability to detect and respond to cyberthreats.

Combined, these two issues make organizations even more susceptible to data breaches and compliance violations.

Will I Lose My Job If I Report a Security Incident?

Upper management might be unwittingly hindering the reporting of security incidents. According to Nominet, a third of CEOs said they would fire a chief information security officer (CISO) if they believed that person was responsible for not spotting a data breach.

Because there are few experts in cybersecurity in any given organization, there is a lot of misunderstanding that surrounds security incidents. Not every cyber incident is a data breach, yet “breach” is used as a catch-all term for anything that happens. Perhaps the lack of proper language could put someone unnecessarily at risk for reprimand (or worse), so they decide not to report? Or maybe they are so worried a simple mistake like following directions on a spear phishing email could result in termination that they’ll let the company deal with any repercussions instead?

I know people who are so concerned a phishing email could cost them their job that they won’t even report the email, whether or not they clicked on a link. Creating this level of fear in employees doesn’t help anyone. In fact, it hurts the entire security posture of the organization.

Who’s In Charge of Security?

Employees don’t underreport just because they want to keep their jobs; they underreport because they may not know reporting procedures or even who is responsible for cybersecurity issues. If there is a CISO, sure, that helps clarify things, but not every organization has a defined CISO role, and organizations may have a structured reporting system where management closer to the employee is notified first. But does that manager know what to do when confronted with security incidents?

“Governance dictates confidence level in cybersecurity,” Frank Downs, director of ISACA’s cybersecurity practices, said in a formal statement. “When the cybersecurity team reports directly to a designated and experienced cybersecurity executive, cybersecurity teams report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”

But even among executives, there is a lack of clarity about who is in charge of cybersecurity. Again, it isn’t always the CISO. In many cases, the CEO takes ultimate responsibility for any security incidents. In situations of serious data breaches that require public relations mediation, it is often the CEO who becomes the face of the breach and is responsible for the company’s failure to protect consumer data. The problem here, however, is that most CEOs aren’t familiar enough with cybersecurity to be responsible for incident reporting or mitigation. If a CEO is the top of the line of the security reporting structure, does that executive know what to do with the information?

Again, the lack of a true reporting policy or having an inexperienced executive making crucial decisions ends up hurting the organization’s security posture. In this case, if there is a data breach, it could be the CEO who loses their job.

How the CISO Can Right the Security Ship

There is clearly a huge disconnect between employees at all levels and the responsibility for reporting and mitigating security incidents. Closing that gap requires the CISO to step up and take charge.

According to ISACA, employees feel most confidant about the security team when the CISO is a strong, clearly defined leader. It may come down to working with the organization’s board of directors to create that line of leadership and designate a direct reporting ladder, with the CISO being the top rung, answering directly and only to the board on security issues.

The CISO should also provide a well-defined, readily available security policy that includes security incident reporting and information on penalties for violations. An employee shouldn’t have to worry about their job security if they report an incident, but at the same time, there should be some defined retribution if the employee knowingly doesn’t report an incident when required by compliance regulations.

This policy should define the security reporting line, which should be someone within the security team and not the business management structure; what situations must be reported by law or company policy (and what could happen legally if that’s not followed); what situations management highly recommends be reported; and whether this can be done anonymously. Punishments for not reporting or for being responsible for a security incident should also be spelled out.

Finally, every employee has a role to play in an organization’s security posture, and it is up to the CISO to make sure that happens. This includes regular security awareness training and naming employees across the business to be part of the security team. These employees wouldn’t be responsible for mitigating an incident, but they would be a familiar face within each department that will make reporting more comfortable than it would be to strangers or executives.

When security events and data breaches are underreported, the organization pays a high price in long-term mitigation costs, fines and loss of reputation. Employees need to know they can report incidents without retribution, and it is up to the CISO to make the reporting environment welcoming.