We have all seen the saying “see something, say something” in airports and various public places advising the traveling public to report suspicious items and events. Likewise, as business leaders, we encourage our employees to report information security incidents so that we may investigate and improve upon our security posture. Do businesses take matters seriously when reports are made?
As anyone who travels frequently knows, having a credit card compromised is a matter of when rather than if it will happen. Last night, my number was called and I started receiving text alerts from my credit card company about potentially fraudulent charges. Calling the number on the back of the card, I spoke to the security team and there were definitely unauthorized charges, and hence, the card was cancelled and anew one issued.
Of concern was that one of the fraud alerts was for a $0 charge attempted by the hotel I had just checked into earlier in the day. This concerned me and I went downstairs, asking to speak to the manager. The manager could not have been any less concerned and simply became argumentative claiming that there was no way her staff ran such an attempted $0 charge. I tried to encourage her to at least alert her security team to investigate, and she was uninterested.
While I will not name the hotel, I can state that it is a major, national and international chain with a portfolio of brands. The chain has been hacked and in the news before, which is one of the many reasons I found the manager’s reaction troubling.
The point here is this: Outages and suspicious events need to be treated as a potential security incident until it can be proven that they are not. The gap between breach and discover continues to be over 200 days. Is it possible that breaches could be discovered sooner if businesses took concerns raised by staff, customers and partners seriously, ruling out a security incident instead of simply dismissing the concern?
How does your business handle things when a customer or an employee reports something suspicious? If we expect people to see something and say something, then we need to take reports seriously and rule out security incidents before simply dismissing them.