How are you encouraging staff to report anything suspicious?
"What we’ve emphasised to colleagues is that there is no blame for over-reporting We’d always rather know than not know.“
Ben Aung, global CISO at Sage, talks to Sooraj Shah about how to engage the whole workforce with cyber security issues.
Ben Aung was a speaker at the very popular R3 cyber security conference, which ran from 15 to 24 September 2020. If you missed it, then it’s not too late: you can still watch on demand.
And how are you encouraging staff to report anything suspicious? Has anything changed in the way you do that?
So we have a few mechanisms for people to report anything that concerns them. So we have buttons in our email software. We've got email addresses, and so on.
I think more than changing the way that people report, or asking to do anything particularly different in terms of how they report, what we really emphasise with colleagues is that there is no blame. There will be no repercussions for overreporting. In fact, we welcome any issues that they're at all concerned about or worried about-- that they let us know. We'd always rather know than not know. And so, if anything, we've been encouraging colleagues to overreport, or report more, rather than change the way that they report.
So have some of those concerns been around other things that they use at home, perhaps things that they're not used to from being in the office-- being away from the office?
I think the main issue, as we see it, is that the support network, that kind of physical support network that our colleagues have-- the people sitting around them, the people that they might speak to at the water cooler, or at the coffee point-- are no longer there. So we sought to kind of try and replace that support network, in terms of the way that we've leant it, and encourage colleagues to think about, and talk about, and ask about security issues.
So the main challenge, I think, has been, for people, maybe things that they might have just sort of leant over to the next desk and said oh, you know, this looks a bit funny. What do you think? What do you think I should do? That is no longer possible. It's much harder for people to do.
So we assume that they are going to encounter these situations where something happens on their computer, or something happens on the internet, which they're unsure about. And so instead of having someone to ask immediately within the same office as them, giving them other avenues, or make sure that they understand which avenues they should use to let us know.
So, those avenues-- are those the intranet that you mentioned, and are there any other mechanisms as well?
So, you know, like most big companies, we have a way that colleagues can report phishing attempts, for example, so that they can alert our security team to an email which they think is suspicious. Then we can act on it. So if we receive a suspicious email, and one colleague reports, it means we can remove it from everybody else that received it, and act on it quickly that in that way.
So we have kind of automated, very straightforward and intuitive ways for people to look for anything they're unsure about. But we also encourage colleagues to use their line managers, our email address, which is manned 24/7, and any other interaction that they have with either the security team or the IT team to make people aware of anything that's worrying them.
We haven't seen a significant uptick in incident reporting or incidents. I think the nature of the incidents, or the nature of the reporting, shifted a little bit. So we've probably had more false positive reporting, which is a really great sign, to have people telling us about things which aren't the problem. But we're really glad that they did, because it shows that they're kind of alive to the issues, that they're thinking very carefully about anything that they that they might be suspicious about. And rather than ignoring it, they're telling us about it.
So while we've not seen a huge increase in phishing emails, for example, we have seen more positive engagement from colleagues in the business. Maybe they're responding to things that happened to them, or commenting on articles that we publish on the internet and so on. So there's an overall uplifted engagement, but nothing material in terms of the volume of reporting itself.