Date: December 8, 2016 | Author: Richard McBarnet
Traditionally, UK companies have been poor at encouraging a positive reporting culture. Even the smallest breaches are typically not reported, meaning minor problems, which could have been nipped in the bud, are likely to get cumulatively worse until they risk the security of the whole system.
Last year’s data breach suffered by TalkTalk, for instance, was caused by a combination of insecure webpages and bugs which left the database vulnerable to cyberattack. Whilst we don’t know what the company culture of TalkTalk is, we can only surmise it is not one that encourages its staff to report vulnerabilities; through a positive reporting culture, breaches could have been dealt with as they occurred, closing the gaps through which hackers gained access, thus preventing a record fine and loss of public trust.
And while large companies can usually afford to ride the storm, small businesses are not so lucky. According to the American National Cyber Security Alliance, 60% of small companies cease trading within six months of a cyberattack. This figure will inevitably go up as the maximum size of fine the ICO’s can impose increases from £500,000 to €20 million.
What is a reportable breach?
Security breaches don’t have to be large. In fact, the smallest of actions can start a butterfly effect leading to a cyberattack, meaning any kind of breach needs to be reported. In Information Security Management Policy terms, such instances can be:
- Leaving your workstation without locking your computer screen
- Using a USB stick with unencrypted data
- Opening an unknown email attachment
- Not protecting computers with up-to-date anti-malware software
- Downloading risky and unapproved software
- Insecure disposal of hardware
- Sabotage by a disgruntled employee
- Weak passwords
Why don’t people report breaches?
In many cases, individuals are afraid to report even the smallest breach as they fear they might lose their job. So they try to fix the problem themselves, which increases the likelihood of leaving a breach. In a company that encourages a positive reporting culture, even the smallest breach will be reported, enabling the experts to deal with it promptly.
Catastrophic incidents caused by pressuring employees who are then afraid to report problems are not confined to the IT world. In 1990, the captain of a BA aircraft was sucked out of the plane after the bolts on a newly-repaired window in the cockpit failed and the window blew out. Amazingly the captain survived, thanks to the actions of his crew. The investigation discovered that because of the time pressures placed on the maintenance crew, they had cut corners and used the wrong sized bolts when securing the new window. Had a positive reporting culture been in place maintenance teams could have fed back concerns over the time pressures and a properly repair, whilst causing delays, could have been completed and a near disaster averted.
How to encourage a positive reporting culture
Managers need to realise that a positive reporting culture will ultimately protect the company. By having a blame and punishment mindset, they actively discourage employees from flagging up potential problems, leaving the business vulnerable. By fostering an open, blame-free culture, people will feel more comfortable reporting data breaches at an early stage when something can be done about it.
How we encourage a positive reporting culture
Although it’s a minor problem, we had difficulties with our own staff leaving their workstation without locking their computer. In order to encourage them to get into the habit of securing their stations, we developed a tongue-in-cheek ‘Hoffing’ punishment, whereby whenever this happened, someone would change the desktop wallpaper to a photo of David Hasselhoff. We also added a points system element and at the end of the week, the employee who had been ‘Hoffed’ the most times would have to buy the beers for everyone. It was a fun way of making a serious point that a company’s security is only as good as its weakest link.
If you are worried about the security of your IT systems, or would like to talk to us about managed serviced provision, contact us for more information.