When employees fear blame, they stay silent about security mistakes instead of reporting them immediately. A phishing email sits unopened and unblocked. An unlocked cabinet with customer data goes unnoticed for months. A contractor accidentally left with admin credentials never gets reported. In India, a medium-sized e-commerce or fintech business once lost ₹2.5 crore to a data breach that started with an employee noticing—but not reporting—unusual database access because he feared being blamed for 'weak' security. Without a reporting culture, you won't know you've been breached until your customers or regulators tell you. Your business faces regulatory penalties under DPDP Act, customer trust collapse, and uncontrolled incident spread.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk around and no one mentions security problems to leadership. Your IT person finds malware on a machine three months after it arrived because no one reported weird computer behavior. Employees assume security failures are 'not my job' or 'I'll get in trouble.'
Initial
You've told employees once that they should report problems, but there's no formal channel or process. Sometimes someone mentions something to the IT person in passing, but nothing is tracked or followed up. There's still an unspoken sense that 'raising an issue means you caused it.'
Developing
You have a documented email address or person to report security concerns to, and it's been shared with staff. You keep a simple log of what gets reported. Employees know the reporting channel exists, but there's no clear message that reporting is safe or valued.
Defined
You have a formal reporting process (email, form, or a simple online log) that anyone can use anonymously or with their name. Reports are acknowledged within 2-3 days. Leadership visibly thanks people for reporting and shares outcomes ("We found a phishing email because of your report, and we blocked it"). There's clear 'no blame' language in your security policy.
Managed
Reports are handled through a formal incident response workflow. Each report is assigned, investigated, and closed with documentation. Leadership regularly (monthly or quarterly) shares anonymized summaries with staff: "This month we received 5 reports; 3 were phishing, 2 were about physical security. All were fixed." Employees see that reporting leads to real fixes and protection.
Optimised
Your reporting culture is embedded in daily work. Employees proactively raise concerns without prompting. Leadership celebrates 'near misses' caught by staff. You run quarterly awareness campaigns highlighting real reports that prevented damage. New hires learn in their first week that reporting is expected and protected. External auditors or customers see evidence of regular, documented reports and fast resolution.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Draft a one-page 'Security Reporting' statement saying employees should report concerns to the IT lead or manager without fear of blame. Post it on the office notice board and send via email. Include one specific example (e.g., 'If you see an email asking for passwords, report it immediately—you're helping us, not getting in trouble'). | Business owner or HR manager | 2 hours |
| 1 → 2 | Create a simple 'Security Reporting Form' (Google Form or printed one-pager) with fields: What did you see? When? Where? Your name (optional). Set up a dedicated email inbox (security-report@company.com) or notebook to collect reports. Share the form link in a staff meeting and on the office board. | IT lead with business owner approval | 1 day |
| 2 → 3 | Write a formal 'Security Incident Reporting and No-Blame Policy' (1-2 pages) that explicitly states: (1) How to report, (2) That no disciplinary action follows honest reporting, (3) Response timeline (we will acknowledge within 2 days), (4) That anonymous reporting is allowed. Get business owner sign-off. Include in employee handbook and onboarding materials. | HR manager or business owner with IT lead input | 3-4 days |
| 3 → 4 | Set up a formal incident log (spreadsheet or simple ticketing system like Jira Free) tracking: Report date, description, person assigned, investigation result, closure date, and follow-up action. Designate one person as 'Incident Coordinator.' Brief leadership monthly on metrics (number of reports, types, resolution time). Publish a one-paragraph summary in the next all-hands meeting highlighting a recent report that prevented harm. | IT lead with business owner oversight | 2-3 weeks |
| 4 → 5 | Establish a quarterly 'Security Heroes' campaign: Highlight real (anonymized) reports that prevented incidents in company email, meetings, or newsletters. Run an annual security awareness week where employees practice reporting via tabletop scenarios. Measure culture via anonymous survey (e.g., 'Would you feel safe reporting a security concern?'). Adjust communication based on feedback. | HR manager, IT lead, and business owner | Ongoing, ~4-6 hours per quarter |
Documents and records that prove your maturity level.
- Published 'Security Reporting Policy' or 'No-Blame Security Culture' statement in employee handbook or posted on office board
- Security reporting form (Google Form, email address, or printed form) and proof it was shared with staff (e.g., email screenshot, meeting notes)
- Log of security reports received (spreadsheet, notebook, or ticketing system) with dates, descriptions, and closure status for at least the last 6 months
- Evidence of acknowledgment to reporters (e.g., reply email within 2-3 days, or log entry showing 'acknowledged')—at least 3 recent examples
- Leadership communication to staff (email or meeting minutes) sharing outcomes of reports in last quarter (e.g., 'We found 2 phishing emails, 1 unsecured USB, and deployed fixes')
Prepare for these questions from customers or third-party reviewers.
- "Walk me through how an employee would report a security concern. What's the process, and who would they contact?"
- "Can you show me the policy that protects employees from blame if they report a security issue honestly?"
- "Do you have records of security reports received in the last 6 months? How many have you had, and what happened to them?"
- "Have you communicated back to employees about the outcome of reports—either to the individual reporter or to the broader team? Can you share an example?"
- "How do you know employees feel safe reporting? Have you surveyed them, asked in meetings, or seen natural reporting behavior?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and collect security reports from employees via online form | Google Forms (free with Google Workspace or standalone) or Jotform (limited free tier) | Typeform (₹1,500–5,000/year) or Jira (₹0–15,000/year depending on users) |
| Track and manage reported security incidents in a simple log or workflow | Google Sheets or Excel (offline); Trello (free tier) for kanban workflow; Jira Free (up to 10 users) | monday.com (₹5,000–15,000/year) or Asana (₹3,000–10,000/year) |
| Survey employees anonymously to gauge culture and willingness to report | Google Forms or Typeform (free tier for basic surveys) | Qualtrics (₹50,000+/year—likely too expensive for MSME) or SurveyMonkey (₹5,000–20,000/year) |
- Announcing a reporting policy but never acknowledging or acting on reports. Employees report once, nothing happens, so they stop reporting. Create a simple log and close the loop within 2 weeks per report.
- Blaming the reporter when a report reveals a mistake (e.g., 'You should have known that cable was important, why didn't you secure it?'). This kills the culture instantly. Train managers to separate the mistake from the reporter and focus on the fix, not punishment.
- Making the reporting process too complicated (multi-step form, HR approval before IT hears it). Employees skip it. Use a simple email or one-page form. Complexity delays help.
- Assuming one communication is enough. You announce the policy once and expect it to stick. Reinforce it quarterly: mention it in meetings, include in onboarding, celebrate examples. Culture change takes months, not days.
- Keeping reports secret from employees. If staff never hear about outcomes, they assume nothing happens. Share anonymized results monthly or quarterly: 'We received 3 reports this month, all were investigated and resolved.'
- Not protecting anonymity when promised. If an employee reports anonymously but gets traced and blamed, trust collapses across the entire team. Use truly anonymous channels (no email logging, form not linked to login) or handle carefully.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2) and Schedule 2 (accountability, data protection impact assessment, and incident management—all require organizational processes to detect and respond to risks) |
| CERT-In 2022 (Indian Computer Emergency Response Team) | Direction on 'Responsible Disclosure of Security Vulnerabilities' and incident reporting framework—emphasis on transparency and timely disclosure |
| ISO 27001:2022 | Clause 5.3 (roles and responsibilities), 6.2 (objectives and planning), and A.5.1 (policies for information security)—security culture and employee awareness |
| NIST CSF 2.0 | Govern (GV.RO-01: Risk and security roles/responsibilities), Detect (DE.AE-01: Anomalies and events detected and analyzed)—relies on employee participation |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →