When it comes to risk management, visibility is a crucial component that enables organizations and physical security teams to identify, assess, and monitor potential threats to their operations. Without a clear understanding of existing security risks, mitigating these threats and protecting people, places, and assets from future attacks or preventable events becomes even more difficult to achieve. Visibility allows organizations to gain a comprehensive view of their internal and external environments, enabling them to identify emerging risks earlier and take the necessary measures to manage them or prevent them altogether.
With robust incident reporting and tracking tools and processes in place, organizations and their security professionals can not only minimize their exposure to potential risks but also build resilience by responding to threats quickly and effectively. Which is why visibility plays an essential role in any security risk management solution.
Why is incident reporting so important for my organization?
How do you ensure that you have visibility into all the security incidents that take place across your organization? While you’re likely aware of the major incidents and threats that could cause business disruptions, the seemingly minor incidents could be leading indicators of something more severe, such as:
- Unreported personnel issues — such as harassment — can easily escalate into bigger, more threatening issues;
- A cluster of lower-level incidents in a given location can be an indicator of a security gap that may eventually lead to something more serious;
- A simple incident can go from minor to major — such as a missing laptop initially being a minor loss of hardware before turning into a major loss of IP.
The challenge is getting all of these incidents captured in a timely manner so that they can be reviewed and managed by the security team. When your security team is already strapped for resources, how do you ensure that all incidents are reported?
That’s where the value of an incident reporting portal comes into play. By better engaging the business, you can capture incidents without putting more strain on your security resources. Even if you’re unable to address each and every submission, you’re still getting a full picture of all the incidents impacting the business and can prioritize and report on them accordingly.
There are five key considerations for launching an incident reporting portal.
1. Understand your incident reporting audience and purpose
The first step is to clearly articulate who you are targeting with the incident reporting portal and incident types that you are trying to collect. Is this going to be a tool for employees to report theft? For the public at a university or college campus to report suspicious behavior? The key to defining which incidents to collect data on is to start small and be specific. Don’t look to collect every incident from every audience while building your program.
It’s equally important to consider your audience when writing an incident report. If it’s for an internal source, you don’t need to provide the same information as you might to an insurance agent or other authority investigating an incident. For example, you wouldn’t specify a person’s title or length of employment in an incident report for the head of your security team, HR representative, or member of management, as they likely already know that information.
The purpose of incident tracking and reporting is to record an event with the goal of reducing and taking measures to prevent risks within your organization, and hopefully determining why the incident occurred. To successfully do so, reports must be neutral and specific — regardless of their audience. This means avoiding biases while providing details of the incident.
2. Know the pros and cons of anonymous submissions in incident reporting
In a perfect world, we would always know who submitted an incident. But there are tradeoffs that need to be balanced as you choose whether or not your incident reporting portal will be anonymous. It’s important to consider that an incident portal with credentials will allow you to go back to the reporter and ask for additional details. In most cases, this isn’t an option for anonymous portals or hotline incident submissions.
Anonymous portals are generally easier to implement. The lack of need for credentials also makes them much easier to deploy. More pros to anonymous submissions include:
- They generate more incidents, particularly if they are sensitive
- Incident tracking software allows you to ensure that all reports are addressed with the reporter
- Reports can provide valuable insight into your organization’s culture
On the other hand, there are cons to anonymous submissions, such as:
- A greater possibility for information gaps as there’s no way to go back to the reporter
- Chances of false reports or an increased number of maliciously reporting specific people as persons of interest
- “Witch-hunting” for the anonymous reporter once the case or investigation begins
If your goal is to increase visibility into what’s actually happening in your organization and see everything, then anonymous is the way to go. If you need to go back to people for more information, you should work to credential or identify your users (this can be made straightforward with employees through SSO connections).
3. Build up your incident tracking technology infrastructure
Once you decide on the type of incident portal to deploy for your organization, you can pick a technology to help get you there. When looking to implement a new incident tracking infrastructure, you need to be aware of the potential risks and your organization’s needs. Here are three common options to help you deploy an incident reporting portal:
Vendor-provided incident tracking solution
If you’re using an incident management software solution, it more than likely offers a portal option. Particularly for incident portals that require credentials (non-anonymous), this will be the easiest and most cost-effective option. Vendor-supplied portals also provide the benefit of being directly tied into your incident management and investigation platform or software solution.
Vendor risk management (VRM) allows your organization to take the necessary steps in order to decrease the risks resulting from issues with data security, regulatory violations, and business disruption.
VRM software enables your security team to reduce the impact and severity of potential incidents by better understanding the volume and complexity of vendor risks. With a vendor portal, your risk management team will have visibility to several vendor reports, as well as evaluate and review certifications.
Company intranet as an incident reporting solution
Many organizations have an intranet to communicate with employees and stakeholders. Intranet administrators should be able to create a form for incident submission. Once created, the rollout is relatively straightforward if the portal is already in use.
A company intranet is an effective way to take a proactive approach to incident tracking. It can be used not only as a tool to create and submit incidents but also to showcase your organization’s culture by promoting policies surrounding reporting incidents for safer work environments.
Another benefit to a company intranet is the fact that they’re often reliable, providing added security against threats to your organization. However, one major downside is the dependence on the intranet product owners (usually IT) to get the system up and running.
Workflow tools for incident management
If neither of the above is in place, a simple incident tracking or reporting portal can be built on products like Google Sheets or Microsoft SharePoint. Portals should be simple, so it’s likely that someone in-house has something that will work. The main drawback to these incident reporting solutions is that they’re disconnected, so added data entry and adoption can be tricky. They are also not always accessible through mobile devices or other “on-the-go” incident reporting options.
One benefit to building your own incident reporting portal is the fact that it can be tailor-made to your organization’s needs. This means that you could have the option to track events in real-time, giving you further insights into your incident reporting, thus allowing you to quickly implement change.
Best practices for incident portal adoption
Technology is not the make or break for portals. We’ve seen all the above work perfectly well. What matters more is overall user adoption and rollout. There are several best practices that you can employ in your technology choice that will enable you to improve portal adoption.
Ease of use in your incident reporting solution
You don’t want to have to overly train people on how to use the portal. You also don’t want to have an incident tracking system that’s difficult to figure out. Having a platform that’s both user-friendly and allows for simplified incident reporting is beneficial for security teams who monitor and track incidents, as well as employees who use the tools to report events.
There is a natural trade-off in technology between simplicity and depth of data. In this case, go for something simple. We recommend keeping the number of fields to around five. This way, it’s less likely that there will be user error when reporting incidents, which means that your corporate security teams will both track and manage events more efficiently.
If possible, it’s best to build something dynamic. These customizable forms can be created for different types of incident reports, as each one requires different information. This way, users can select the type of form they need and then have it only display what’s relevant to that specific type of incident.
Dynamic forms can eliminate the human error associated with manual form entry while saving time by automatically filling out specific fields. Most conveniently, the automated submission means that the correct person receives the form, and is able to start the investigation process.
When it comes to incident tracking, dynamic forms clearly outline what pieces of information are required when reporting, which leads to less confusion. After all, asking people to skip irrelevant fields is a common cause of poor-quality data or low completion rates.
Use plain language
While you may be tracking countless incident categories, you shouldn’t present that to your users. Give them a small list to select from. Or, just give them a text box to describe what happened and have your security team triage it on the admin side. Better yet, make it so that the provided list is simplified with verbiage that users feel comfortable with. You can’t expect a broad audience to know your nomenclature.
If you want them to report a stolen laptop, just ask for the pertinent details (when, where, what, etc.) instead of requesting that they provide serial numbers or other details that they may not have readily available, but your security team will.
Create a narrative
It takes more time and effort to code an incident from free-form text — but it’s your best bet if you want the best quality data. To ensure that users think of all the relevant details, try using simple language so that your portal asks the questions that you would normally ask when receiving a call about the incident:
- What happened?
- When did it happen?
- Do you have pictures?
- Are there additional details to include in the incident report?
Once the data is in the portal, your trained security professionals can better code incidents to meet your reporting requirements.
4. Create a communication plan for process rollout
A perfectly designed portal is rendered useless if no one knows that it’s there. Giving people a separate login to an incident-specific portal is unlikely to work. It is best to use existing credentials via single sign-on (or a similar secure authentication method) and to have the links available where people already do their work.
Adding a link in your organization’s intranet is often best practice. Incident reporting isn’t usually a regular part of a person’s job — unless they’re part of your security team — so making it available somewhere easily accessible will definitely improve adoption.
Beyond that, you’ll need to communicate where to find your incident reporting portal and why it’s important to fill out and track incident reports. To do so, it’s critical to have a solid communication plan.
5. Remember to follow up
Getting post-incident-report follow-up right will dramatically increase your situational awareness, but it’s also going to create more work. Automating the triage and response process as much as possible is recommended. If you’re more interested in incident tracking over-reporting, you can automate a response to the sender for certain types of incidents. Being prepared is important. If you ask someone to report more frequently, but they feel as though there’s no impact because it hasn’t been addressed, they may feel disempowered and stop submitting.
In the long run, seeing and understanding the full picture will save your business time and money — even if it takes more time upfront. Data is at the heart of security. Having accurate and timely data drives the situational awareness needed to effectively respond to incidents and threats, and provides fuel for the analytics that helps you deploy your resources (such as guards, cameras, and policies) to be the most effective. Portals are a great tool to ensure that you are getting the best quality data from your incidents.
Learn how a five-stage security maturity model can guide you in growing your organization.