Corporate Security

5 Key Considerations for Effective Incident Reporting and Tracking

By Will Anderson Modified October 4, 2019

Do you have visibility into all the incidents that take place across your organization? While you’re likely aware of the major incidents that cause business disruptions, the seemingly minor incidents could be leading indicators of something more severe, such as:

  • Unreported personnel issues such as harassment can easily escalate into bigger, more threatening issues.
  • A cluster of lower level incidents in a given location can be an indicator of a security gap that may eventually lead to something more serious.
  • A simple incident can go from minor to major. For example, a missing laptop can quickly go from a minor loss of hardware, to a major loss of IP.

The challenge is getting all of these incidents captured in a timely manner so that they can be reviewed and managed by the security team. When your security team is already strapped for resources, how do you ensure that all incidents are reported? 

This is where the value of an incident submission portal comes into play. By better engaging the business, you can capture incidents without putting more strain on your security resources. Even if you’re unable to address each and every submission, you’re still getting a full picture of all the incidents impacting the business and can prioritize and report on them accordingly.

There are 5 key considerations for launching an incident submission portal.

1. Understand Your Audience & Purpose

The first step is to clearly articulate who you are targeting with the portal and the types incidents that you are trying to collect. Is this going to be a tool for employees to report theft? For the public at a university or campus report suspicious behavior? The key in this is to start small. Don’t look to collect every incident from every audience.

2. Pros and Cons of Anonymous Submissions

In a perfect world, we would always know who was submitting an incident, but there are tradeoffs that need to be balanced as you choose whether or not your portal will be anonymous. A few things to consider: 

  • A portal with credentials will allow you to go back to the reporter and ask for additional details. In most cases, this isn’t an option for anonymous portals.
  • Anonymous portals will generate more incidents, particularly if they are sensitive. If you are asking for contact info, people will think twice before submitting.
  • Anonymous portals are generally easier to implement. The lack of need for credentials also makes them much easier to deploy.

If your goal is to see everything, then anonymous is the way to go. If you need to go back to people for more information, you should work to credential your users (this can be made straight-forward with employees through SSO connections.)

Streamline your security efforts with the Incident Management Workflow Template Download Now

3. Build up your Technology Infrastructure

Once you decide on the type of portal that you are deploying, you can pick a technology that will get you there.

3 common options to help you deploy an incident portal

Vendor Solution

If you are using an Incident Management Software solution, there is more than likely a portal option. Particularly for portals that require credentials (non-anonymous) this will be the easiest and most cost-effective option. Vendor supplied portals also provide the benefit of being directly tied into your incident and investigative system.

Company Intranet

Many organizations have an internal intranet that is used to communicate with employees and other stakeholders. Intranet administrators should be able to create a form for incident submission there. Once created, rollout is relatively straightforward if the audience is already using the portal. The major downside is the dependence on the intranet product owners (usually IT) to get the system up and running.

Workflow Tools

If neither of above is in place, a simple portal can be built on products like Google Sheets or Microsoft SharePoint. Portals should be simple, so it is likely that someone in-house has something that will work. The main drawback to these solutions is that they are disconnected, so added data entry and adoption can be tricky.

Best Practices for Incident Portal Adoption

Technology is not the make or break for portals. We’ve seen all the above work perfectly well. What matters more is overall user adoption and rollout. There are several best practices that you can employ in your technology choice that will enable you to improve portal adoption.

Ease of use

You don’t want to have to overly train people how to use the portal. There is a natural trade off in technology between simplicity and depth of data. In this case, go for something simple. We recommend keeping the number of fields to around five.

Dynamic Forms

If you can, it’s best to build something dynamic. If different types of incidents require different information, have your user select the type first and then have the form only display what is relevant to that specific type of incident. Asking people to skip irrelevant fields is a common cause of poor-quality data or low completion rates.

Use plain language

While you may be tracking 100 incident categories, you shouldn’t present that to your users. Give them a small list to select from. Or, just give them a text box to describe what happened and have the security team triage it on the admin side.  Don’t expect a broad audience to know your nomenclature. If you want them to report a stolen laptop just ask the pertinent details (when, where, what etc.)

Create a Narrative

It takes more work to code an incident from free form text but if you want the best quality data, this is your best bet. To ensure that the users think of all the relevant details, try using simple language to ask the questions that you would ask if you were to receive a call about the incident:

  • What happened?
  • When did it happen?
  • Do you have pictures?
  • What else can you tell us?

Once the data is in the portal, your trained security professionals can better code the incidents to meet your reporting requirements.

4. Create a Communication Plan for Process Rollout

A perfectly designed portal is rendered useless if no one knows that it’s there. Giving people a separate login to an incident specific portal is unlikely to work. It is best to use existing credentials via something like single sign-on and to have the links be available where people already do their work. A link in the intranet is often best practice. Incident reporting isn’t usually a regular part of a non-security person’s job, so making it available in a place that they can easily access will definitely improve adoption.  

Beyond that, you will need to communicate where this is and why it’s important. You will need a good communication plan that includes various ways of telling the team where to find the form and why it’s critical for them to participate.

5. Remember to Follow Up

Getting this right will dramatically increase your situational awareness, but it’s also going to create more work. You will want to try to automate the triage and response process as much as possible. Perhaps, there are incidents that you just want to track and not respond to? You can automate a response to the sender for those types of incidents. Being prepared is important. If you ask people to report more frequently, but they feel that there is no impact because it hasn’t been addressed, they will feel disempowered and stop submitting.

In the long run seeing the full picture will save the business time and money even if it takes more time up front. Data is at the heart of the security profession. Having accurate and timely data drives the situational awareness needed to effectively respond to incidents and threats and provides the fuel for the analytics that help you deploy your resources (guards, cameras, policy etc.) to be the most effective. Portals are a great tool to ensure that you are getting the best quality data from your incidents.

Learn how to manage security incidents and keep incident submission simple. Get the Guide
Will Anderson

About the Author

Will is the CEO of Resolver.