Reporting or seeking advice about security vulnerabilities - the human side

Human error can happen to anyone – an example scenario

Imagine that you are a not-so-technically-savvy member of staff in a business whose customers are worried about privacy and security. One day, you receive a very official-looking email asking you to reset one of your system passwords. You follow the link, you enter your old password, then a new password and go about your day.

Later that day, you hear a colleague talking about a very clever phishing email that lots of staff in the business received. Everyone is laughing at the funny signs that it was a phishing email and how embarrassing it would be to have clicked on it.

You know you've messed up and you don't how what the penalty for this will be. More than that, you really don't want everyone knowing what a silly mistake you made. Do you tell someone about what happened? Or do you pretend it didn't happen and keep working?

Quiz

Is your business vulnerable?

Answer 3 questions to find out.

Do you have an anonymous channel for people to seek advice if they think they've fallen for a scam?

You don't know or are unsure if you have an anonymous channel for people to seek advice if they've fallen victim to a scam

Often businesses have excellent automated vulnerability assessment systems, but haven't properly addressed how embarrassing and difficult it can be to come forward when you have fallen victim to a scam. An anonymous channel where people can seek advice around this removes this information roadblock.

You have an anonymous channel for people to seek advice or support if they've fallen victim to a scam.

Great! Often businesses have excellent automated vulnerability assessment systems, but haven't properly addressed how embarrassing and difficult it can be to come forward when you have fallen victim to a scam. An anonymous channel where people can seek advice around this removes this information roadblock. If you have a system that people truly trust and feel comfortable telling you about anything, then that's a good place to start.
Is your reporting channel compliant with your requirements under your cyber insurance policy?

Your reporting channel for vulnerabilities might not be compliant with your cyber security policy.

Often people don't know whether their reporting system is sufficient for the purposes of disclosure obligations under cyber security insurance. It's a good idea to check on your policy, and always make sure a safe and secure channel exists so you can make sure your insurance company is satisfied with your approach.

Your reporting channel for vulnerabilities is compliant with your cyber security insurance policy.

Very good. Often people don't know whether their reporting system is sufficient for the purposes of disclosure obligations under cyber security insurance. It's a good idea to check on your policy, and always make sure a safe and secure channel exists so you can make sure your insurance company is satisfied with your approach.
Is there a dedicated person in your organisation responsible for receiving and responding to notes or disclosures about possible system vulnerabilities?

You don't have someone who is responsible for receiving and responding to notes and disclosures about vulnerabilities. Or you don't know who this person is.

Technical teams are busy, and it's sometimes difficult to ensure that vulnerabilities are picked up and acted upon. There are a range of technical tools available for automated vulnerability mapping, but the difficult one to address is the human question – do your people feel safe talking to someone about an issue they've found? And is this person in the right place to receive and act on these notifications?

You have a dedicated person who is responsible for receiving and responding to notes about vulnerabilities and follow them up.

Excellent. Technical teams are busy, and it's sometimes difficult to ensure that vulnerabilities are picked up and acted upon. There are a range of technical tools available for automated vulnerability mapping, but the difficult one to address is the human question – do your people feel safe talking to someone about an issue they've found? And is this person in the right place to receive and act on these notifications?

Your results

Book a meeting:

Update results:

Why there is a human side to security vulnerabilities

Offsite access to critical business systems and storage of sensitive business data has grown increasingly common. Keeping access to these systems secure, while also allowing day-to-day business to operate is why there is an ever-increasing investment in cyber-security infrastructure and processes across all sectors.

Often, it is human nature that contributes to points of weakness in otherwise secure systems. In addition to training programs, and robust security monitoring tools, it's become essential to ensure staff and contractors can speak up when they have found an issue, or when they have fallen victim to a phishing exploit.

There might be political reasons why it's hard to speak up about technical vulnerabilities, or staff might understandably be embarassed to admit they have fallen for a scam.

Elker is designed to address these issues by making it more comfortable to seek advice or report any kind of issue. With a dedicated channel for reporting vulnerabilities or for seeking advice after falling for a phishing exercise, we can prevent slip-ups becoming major security breaches and save a lot of time doing clean-up.

Next steps

How we can help

Ensure no-one feels fearful of speaking up about vulnerabilities or security exploits with anoymous reporting channels.
Provide a safe place to be notified of fears about phishing, access control and other vulnerabilities.
Optimise your cyber incident response plan, and minimise clean up costs.