How to Create a Culture that Encourages Employees to Report Incidents

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

For employees, reporting security breaches can feel like a personal admission of guilt. Self-directed questions like, “Did I click on the wrong link? What if it’s because I visited a website that I wasn’t supposed to? Will I get into trouble?” can take hold, deterring users from escalating suspicious anomalies to their security teams. Matters are made worse when IT teams facing regulatory scrutiny inadvertently foster adversarial relationships with their users and cause even more fear of speaking up.

In the enterprise threat landscape, many of the most common methods of attack—such as phishing, password reuse, and document-macro attacks—target users directly. As a result, symptoms of compromise are usually first observed by employees, effectively making them an organization’s front line of defense. A productive, respectful relationship between IT and users is essential to form a unified response to business-critical threats when they arise.

The emotional impact of being hacked should factor into every organization’s cybersecurity program. More specifically, IT teams should work to cultivate a security culture that emphasizes trust between departments. Below are concrete suggestions for building this kind of relationship.

  • When responding to an incident, don’t punish ancillary behavior. Employees shouldn’t fear punishment for personal browsing when reporting real threats. At the end of the day, ransomware will hurt your business more than Spotify.
  • Acknowledge and thank users reporting phishing attempts. Establish a monthly or quarterly reward for reporting and forwarding phishing emails to the security team.
  • Help employees stay up-to-date on security happenings by creating approachable security bulletins. These can highlight detection and mitigation successes and the employees who caught them.
  • Don’t single out users for public punishment following incident response. Attempting to shame employees for security failures signals to other teams that IT is an adversary, not a resource. In cases of fire-able offenses, the punishment is a business decision and not the responsibility of the IT team.
  • Practice empathy when writing corporate IT policy. Regulatory mandates and best practices take precedence, but forcing users to change their high-entropy 20-digit passwords every month will lead to circumvention of intended security controls. For example, employees may bypass best practices with workarounds like: “Pa$$w0rdPa$$w0rdPa$$w0rdJan” then “Pa$$w0rdPa$$w0rdPa$$w0rdFeb” and so on, which isn’t really securing your systems.
  • Introduce anonymous channels for employees to offer general suggestions and feedback about how security impacts them.
  • When interviewing users during investigations and post-mortems, don’t approach the conversation chronologically. Ask them to recount what happened starting with impact then moving backward to the source or cause of the incident. This is a common investigative technique that leads to more truthful answers, because it builds rapport by avoiding immediately addressing emotionally sensitive issues of blame.
  • Collect and track metrics measuring latency between system compromise and communication of the issue to IT. Without data, there is no fair way to measure a security’s programs strengths or failings when it comes to informing and building trust with your user base
  • Even security professionals can fall victim to a drive-by malvertising attack from a reputable website. When working with employees who have been the source of a breach, acknowledge how novel and sophisticated many attacks can be. Assuring users that mistakes can happen at all levels of security helps alleviate unnecessary feelings of hopeless.

Even with the best detection technology, attacks can propagate across the most finely tuned and managed systems for precious hours before security teams hear the chimes of automated alerts. An employee who feels comfortable speaking up, however, can chime in before even the highest end technology might detect a problem. Building a safe and trusting relationship with employees can be the difference between catching an intrusion before it occurs and suffering severe business impact at the hands of an attacker. It can be the difference between knowing what happened immediately and losing response time playing investigative catch-up. Security that works for users is security that works for organizations.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber

I am: Legal + Compliance-focused, In the C-Suite or a Director

Tags: security breach, cybersecurity program, incident



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.