Adversaries, including cyber criminals, nation-states, and hacktivists, are actively targeting employees, and by not encouraging users to report suspicious emails, organizations are missing a huge opportunity to gather vital information about threats. Developing a formal process for users to report suspicious emails provides real-time threat information, and allows for improved response and mitigation activities. Still, many organizations resist encouraging user response, citing a variety of reasons for not doing so, including a lack of manpower to process reports and a belief that there is limited value in user reporting anyway.
However, encouraging user reporting is not only beneficial, but can be done in a manner that avoids the common pitfalls and doesnít substantially tax your staff.
What are the benefits?
Encouraging your users to report suspicious emails is akin to literally adding thousands of new sensors to your network. Upon receiving a report of a suspicious email administrators can initiate reactive response controls such as removing similar emails from usersí inboxes, redirecting and capturing command and control traffic, and blocking outbound traffic at your gateway. In the event of a compromise, you are able to more quickly and more effectively contain the damage.
Once user reporting becomes part of your culture, it will provide actionable data. Tracking the reports sent by individual users allows you to increase monitoring on certain machines as well as recognize users who provide valuable reporting data.
Can my users really provide useful information?
Many security administrators take the mistaken view that their users canít be a source of valuable information. In my experience, most users want to do the right thing, but they havenít been given enough information about what to look for or what to do if they receive something suspicious. By educating them on how to recognize the typical signs of a phishing email, and establishing a simple process for reporting, your user base can become a line of defense that is more effective than all of your technology.