By Will Anderson Modified April 17, 2020
Do you have visibility into all the incidents that take place across your organization? While you’re likely aware of the major incidents that cause business disruptions, the seemingly minor incidents could be leading indicators of something more severe, such as:
The challenge is getting all of these incidents captured in a timely manner so that they can be reviewed and managed by the security team. When your security team is already strapped for resources, how do you ensure that all incidents are reported?
This is where the value of an incident submission portal comes into play. By better engaging the business, you can capture incidents without putting more strain on your security resources. Even if you’re unable to address each and every submission, you’re still getting a full picture of all the incidents impacting the business and can prioritize and report on them accordingly.
There are 5 key considerations for launching an incident submission portal.
The first step is to clearly articulate who you are targeting with the portal and the types incidents that you are trying to collect. Is this going to be a tool for employees to report theft? For the public at a university or campus report suspicious behavior? The key in this is to start small. Don’t look to collect every incident from every audience.
In a perfect world, we would always know who was submitting an incident, but there are tradeoffs that need to be balanced as you choose whether or not your portal will be anonymous. A few things to consider:
If your goal is to see everything, then anonymous is the way to go. If you need to go back to people for more information, you should work to credential your users (this can be made straight-forward with employees through SSO connections.)
Once you decide on the type of portal that you are deploying, you can pick a technology that will get you there.
If you are using an Incident Management Software solution, there is more than likely a portal option. Particularly for portals that require credentials (non-anonymous) this will be the easiest and most cost-effective option. Vendor supplied portals also provide the benefit of being directly tied into your incident and investigative system.
Many organizations have an internal intranet that is used to communicate with employees and other stakeholders. Intranet administrators should be able to create a form for incident submission there. Once created, rollout is relatively straightforward if the audience is already using the portal. The major downside is the dependence on the intranet product owners (usually IT) to get the system up and running.
If neither of above is in place, a simple portal can be built on products like Google Sheets or Microsoft SharePoint. Portals should be simple, so it is likely that someone in-house has something that will work. The main drawback to these solutions is that they are disconnected, so added data entry and adoption can be tricky.
Technology is not the make or break for portals. We’ve seen all the above work perfectly well. What matters more is overall user adoption and rollout. There are several best practices that you can employ in your technology choice that will enable you to improve portal adoption.
You don’t want to have to overly train people how to use the portal. There is a natural trade off in technology between simplicity and depth of data. In this case, go for something simple. We recommend keeping the number of fields to around five.
If you can, it’s best to build something dynamic. If different types of incidents require different information, have your user select the type first and then have the form only display what is relevant to that specific type of incident. Asking people to skip irrelevant fields is a common cause of poor-quality data or low completion rates.
While you may be tracking 100 incident categories, you shouldn’t present that to your users. Give them a small list to select from. Or, just give them a text box to describe what happened and have the security team triage it on the admin side. Don’t expect a broad audience to know your nomenclature. If you want them to report a stolen laptop just ask the pertinent details (when, where, what etc.)
It takes more work to code an incident from free form text but if you want the best quality data, this is your best bet. To ensure that the users think of all the relevant details, try using simple language to ask the questions that you would ask if you were to receive a call about the incident:
Once the data is in the portal, your trained security professionals can better code the incidents to meet your reporting requirements.
A perfectly designed portal is rendered useless if no one knows that it’s there. Giving people a separate login to an incident specific portal is unlikely to work. It is best to use existing credentials via something like single sign-on and to have the links be available where people already do their work. A link in the intranet is often best practice. Incident reporting isn’t usually a regular part of a non-security person’s job, so making it available in a place that they can easily access will definitely improve adoption.
Beyond that, you will need to communicate where this is and why it’s important. You will need a good communication plan that includes various ways of telling the team where to find the form and why it’s critical for them to participate.
Getting this right will dramatically increase your situational awareness, but it’s also going to create more work. You will want to try to automate the triage and response process as much as possible. Perhaps, there are incidents that you just want to track and not respond to? You can automate a response to the sender for those types of incidents. Being prepared is important. If you ask people to report more frequently, but they feel that there is no impact because it hasn’t been addressed, they will feel disempowered and stop submitting.
In the long run seeing the full picture will save the business time and money even if it takes more time up front. Data is at the heart of the security profession. Having accurate and timely data drives the situational awareness needed to effectively respond to incidents and threats and provides the fuel for the analytics that help you deploy your resources (guards, cameras, policy etc.) to be the most effective. Portals are a great tool to ensure that you are getting the best quality data from your incidents.