How “See Something, Say Something” Could Be Hurting Your Security Program.

Background

“If You See Something, Say Something” was originally implemented and trademarked by the New York City Metropolitan Transportation Authority. In 2010 it was licensed to the U.S. Department of Homeland Security (DHS) as a nationwide campaign in conjunction with the Department of Justice’s Nationwide Suspicious Activity Reporting Initiative (NSI). The goal behind these two programs are to train local and state law enforcement to recognize indicators or behaviors of terrorist related activities, and for the NSI to standardize how reports are documented, analyzed, and shared with Federal Bureau of Investigation Terrorism Task Forces and state Fusion Centers.

Since 2010 the “See Something, Say Something” campaign has spread to private sector business and even to local communities. The current goal of the campaign is to raise public awareness of indicators that could point out terrorism or terrorism-related crime. While the goal of DHS is to raise public awareness of terrorism, many organizations are using similar campaigns in their security programs to help mitigate certain types of incidents other than terrorism. I cannot count the number of times I have heard someone say “Remember…See Something, Say Something” at the end of a meeting, or some Security Specialist sends out an email with this as the tag line, but without proper training on what, why and how to report a potential threats this is nothing more than a slogan.

Problem

Many security incidents can be mitigated by early reporting, but the wrong reports can hurt a security program and in some cases increase organizational risk. For example, an Intrusion Detection System (IDS) is used as an early warning device in physical and cyber security systems. An IDS is setup as a layer of defense on particular asset(s) which alerts security teams of potential threats. Physical security uses a variety of sensors and alarms, and cybersecurity uses programs that analyzes network traffic and looks for signatures associated with known threats. IDSs need to be setup to meet specific positive threat identification percentage, which is in the high 90’s.

As the IDS’s positive alarm rate decreases its false alarm rate increases which reduces the effectiveness of its response team thus, the increase in organizational risk to various threats. An example of this can be seen in the 2013 Target Corporation data breach. Target’s IDS sent multiple notifications to the security team but the notifications were ignored because the security team thought they were false-positives. The attack went on for weeks until Target was notified by the Department of Justice that their system might have been compromised. This breach resulted in the theft of financial and personal information of 110 million customers and 40 million customer credit cards.

In a security program early warning reporting is not just achieved through the IDS alone but also the human element, i.e. employees. If employees are not trained on what to report, why it should be reported, and how to report it this can lead to a drop in positive report rates and an increase in false report rates. This in turn will cause a lack of response by the security team, an unneeded change in security procedures and an increase in an organization’s overall risk of actual threats going unnoticed or being dismissed as false reports.

Solution

Developing strong written policies, procedures and standards, based in factual risk analysis, is how an organization defines what is acceptable processes and behavior in the organization. Written policies, procedures, and standards also give employees the framework as to what constitutes a stable and consistent work environment. Any process or behavior outside of the written policies, procedures and standards could be viewed a suspicious, and should be questioned and reported. This gives us the “what” to report.

To reinforce the necessity of particular policies, procedures and standards security education, training and exercises must be conducted with employees. Security education, training and exercises allow employees to test what they have learned in safe environment without real-world consequences. This also allows the organization’s leaders to identify vulnerabilities, and tailor future education, training, and exercises to reduce the risk of exploitation of identified vulnerabilities. Security education, training, and exercises give employees the “why” to report.

When asking employees to report suspicious incidents/ behavior they need to know how to report. The first step is identifying whom employees should report suspicious incidents/behaviors to and how to send reports. This can be as simple as reporting it to Corporate Security via email.  Next employees should know what to include in the report such as the who, what, when, where and why. The employee should report who or what they saw. This portion should include the suspicious individual’s description, name (if known), and what the individual was doing when they noticed them. Next the employee should note the time the individual or incident was witnessed. Then the employee should note where the individual was seen or incident was taking place when witnessed. The where should be as specific as possible so the security team knows exactly where to begin the investigation. Lastly they should include why the individual or incident was suspicious or a violation of organizational policies, procedures or standards.

Proper security reporting by employees allows security teams to properly investigate and responded to potential organizational threats in a proper and timely manner. This also assist with the reduction of identified risk because policies, procedures, and standards are being followed as designed. Lastly, this reinforces that security is everyone’s responsibility and that mitigation starts with the employees.