We experienced a very interesting phenomenon in the last 6 months and that is that some employees found and reported to our security teams few very crucial security issues. We were thinking about encouraging this type of behavior (we think employees should be able to feel comfortable reporting security vulnerabilities they have identified) but not sure how to do it.
Asked
Active
Viewed 254 times
3 Answers
5
The best way is recognition - after a security issue has been identified or fixed send them some email award template and CC in their manager. The value to them is being able to refer to this item in pay reviews and discussions with management.
Outline what is considered a security issue and what isn't to try and filter noise.
Add another level to this with a reward system - every month or quarter provide an aware to those that have reported security issues. Base it off reporters number of issues, severity of issue report or at random. Ensure that comms go out either company wide or department wide about the winner of quarter and month + what they received as reward.
Ideally what you are trying to do is build up security champions in the company so not only do they report issues but influence those around them to do it.
McMatty
- 3,192
- 1
- 7
- 16
3
In my experience, users do not report security issues because of a couple of reasons:
- They don't care or believe its not their job
- They don't understand the possible impact of a security vulnerability and so they leave it
- They are afraid it might expose their negligence in certain situations
In order to combat the above reasons, you might try two things:
- Security awareness training
- Bounty programs, anonymous or otherwise
I covered a incident of a company that was sending Credit Card information over email throughout their internal network. After they got hacked, I interviewed employees to get more information on when they started this process of sharing sensitive data over email. The employees told me a date and then 75% of them, without me asking, told me they thought it was always a bad idea. So the question remained, why didn't you say anything?
It was mostly because of numbers 2 and 3 above. You need to make it clear that the goal of security is to improve the overall posture of the organization. Stress the importance that users are not the problem, but the bad security culture needs to change as whole. This ultimately is managements responsibility and problem.
pm1391
- 1,427
- 2
- 7
- 19
1
What you need here is to develop a culture that detects security issues and responds to it.
One easy way to get the ball rolling is by managing your organization's computers desktops wallpaper, so that they show new security topics every one or two days. When the user logs in and waits for login completion the wallpaper will show up showing a nicely designed infographic about a security matter that is not hard to grasp by average user.
By time you can start having new ways to develop this culture like workshops, award system, etc...
daygoor
- 138
- 6
-
Can you give more ideas as the ideas you suggested with wallpapers and award system are very smart! – Filipon Oct 08 '18 at 12:38