You Are the First Line of Defense
Security tools catch a lot, but they don't catch everything. Firewalls, antivirus software, and intrusion detection systems can miss sophisticated attacks — especially those that exploit human behavior rather than technical vulnerabilities. That's where you come in.
Every employee who reports something suspicious contributes to the organization's security posture. Many major breaches were initially detected not by software, but by an observant employee who thought, "That doesn't seem right," and said something.
What Should You Report?
The short answer: anything that seems unusual, unexpected, or out of place. You don't need to be certain that something is an attack. That's the security team's job. Your job is to raise the flag.
Digital Indicators
- Suspicious emails — Phishing attempts, unexpected attachments, strange requests from colleagues
- Unusual computer behavior — Sudden slowdowns, unexpected pop-ups, programs opening by themselves, mouse moving on its own
- Unknown software — Programs you didn't install appearing on your computer
- Account anomalies — Password reset emails you didn't request, login notifications from unknown locations, being locked out of your account
- Unauthorized access attempts — Someone asking for your credentials, or trying to access systems they shouldn't need
Physical Indicators
- Unfamiliar people in restricted areas without visitor badges
- Propped-open security doors that should be closed and locked
- Suspicious devices — Unknown USB drives, unfamiliar hardware connected to network ports, devices attached to computers
- Missing equipment — Laptops, hard drives, or documents that have disappeared
- Shoulder surfing — Someone watching your screen or keyboard as you type
Social Engineering Attempts
- Unusual requests from "management" — Especially involving money, gift cards, or credential sharing
- Pressure to bypass security procedures — "Just this once" or "It's urgent, skip the approval process"
- People who ask too many questions — Especially about systems, security controls, or personnel
How to Report
You notice something suspicious at work. How urgent does it seem?
Why Reporting Matters (Even When You're Wrong)
Many people hesitate to report because they're afraid of:
- Looking foolish — "What if it turns out to be nothing?"
- Getting someone in trouble — "What if I'm wrong about that person?"
- Wasting the security team's time — "They must be busy with real threats"
- Retaliation — "What if reporting causes problems for me?"
Here's the truth: security teams want your reports. Every single one. A false alarm takes minutes to dismiss. A missed real threat can take months and millions to recover from. No reasonable security team will ever fault you for reporting something that turns out to be benign.
You received a strange email two days ago that you now think might have been a phishing attempt. You deleted it at the time and didn't click any links, but you didn't report it. Is it still worth reporting?
How would you respond? Choose the best option:
Key Takeaways
- When in doubt, report — False alarms are better than missed threats
- Call for active incidents, email for non-urgent concerns — Match your reporting speed to the urgency
- Include details — What you observed, when, any screenshots or specifics you can provide
- Late reports are still valuable — Information from two days ago can still prevent an ongoing attack
- You won't get in trouble for reporting — Security teams appreciate every report, even false alarms
- Trust your instincts — If something feels wrong, it's worth reporting