Most larger businesses and many smaller organizations have now implemented specific policies and procedures setting forth the steps to be followed in the event of a security breach (e.g., composition of the response team, documentation requirements, procedures to be followed in making statements to the press, decision trees for issuing notices to consumers, etc.). One area, however, that is frequently overlooked is plain English instructions for rank-and-file employees to understand what a potential security breach looks like and how to report it. In recent experiences, we have found businesses well prepared to address a breach once it becomes aware of the problem, but the problem frequently takes too long to come to the attention of the right people within the organization. This has led companies to develop brief supplementary policies or guidances to educate employees concerning these issues.
The point is to make sure employees know what to look for (e.g., unusual activity on their workstations, a suspected compromise of a password and username, a lost USB fob, a stolen laptop, etc.) and to whom the matter should be reported. Because almost any employee may be in a position to observe a potential breach, most, if not all, employees should be educated on these issues. In this way, when suspicious activity occurs, employees will recognize it and promptly bring it to the attention of an appropriate manager. Given the range of laws requiring prompt reporting of breaches, ensuring this information gets to the right person in the organization as quickly as possible is critical. Implementing these types of policies or guidances will help establish the business was diligent in addressing the issue, guarantee management is promptly apprised of the problem, and minimize potential damages.