NEW FROM CSX
Do Your Employees Know How to Sound the Alarm?
By Rob Lelewski, CISA, CRISC, CISM, CCE, CISSP-ISSMP, EnCE, GCIH
The Nexus | 9 October 2017
Last week, my 4-year-old son learned the purpose of 9-1-1, the number used to summon police, report a fire, or communicate other emergencies in Canada, the United States and a handful of other areas. He learned about it during a fire safety day at his day care, courtesy of visiting emergency personnel.
Later in the week, I was working with a client on their incident response process. The client had clearly spent ample time developing their incident response process and, over the years, it had matured into a well-oiled machine. While evaluating the incident response process, I noticed a gap in the process: The mechanism to sound the alarm and report an information security event was not defined. I became curious and started asking various employees, ranging from the administrative assistant to human resources personnel, whom they would contact if a clear information security event had occurred. Ten different employees provided 10 different answers on who should be contacted.
While pertaining to completely different topics, my son’s educational experience was parallel to my client’s problem: If you do not teach everyone in the organization, from the top down, how to properly report an information security event, the organization’s well-oiled incident response process is difficult to initiate.
The Impact of End Users
Organizations spend a percentage of their budget on information security-related technology, training and personnel. This technology helps information security teams identify and respond to incidents, both large and small, and continually adapt to the changing threat landscape.
However, what information security programs often overlook is the need to ensure that the end users, the noninformation security employees, understand their obligations when they spot a potential information security event. If the enterprise’s end users, from the top down, all adhere to a different set of rules when sounding the alarm, a consistent response is unlikely to occur.
End users are a powerful and inexpensive force multiplier to your organization’s information security posture, (hopefully) helping to reduce the risk of known and emerging threats.
End users are a powerful and inexpensive force multiplier to your organization’s information security posture, (hopefully) helping to reduce the risk of known and emerging threats. Having each end user respond in a consistent way when reporting a security event is just as valuable as the latest security appliance.
Provide an Information Security 9-1-1
Having an internal method to sound the alarm for potential information security events is absolutely key for the average end user to report an information security incident. The lack of a well-known method to sound the alarm militates against the enterprise’s incident response process and runs afoul of best standards. Depending on preexisting organizational capabilities, this may be accomplished by leveraging the help desk or by providing a group email address that is monitored by information security. Regardless of the method used, all end users must understand the internal alarm method. This method should be reinforced during annual and onboarding trainings, and by posters in the break room similar to the “If You See Something, Say Something” campaign often seen in airports or train stations.
Just like my son now knows to call 9-1-1 in case of an extreme emergency, employees need to understand who to contact, and how to perform the communication, should they identify a possible information security event. Instead of letting a concern become buried because it does not make it to the right person, the enterprise’s information security process may be executed in a quick and efficient fashion.
Rob Lelewski, CISA, CRISC, CISM, CCE, CISSP-ISSMP, EnCE, GCIH
Is a team lead for Secureworks’ proactive services and focuses on helping organizations prepare for cyber security incidents by creating and reviewing incident response plans, performing tabletop exercises, and conducting other activities to help improve his clients’ security posture. He is a regular contributor to The Nexus.