People are by far the biggest asset in your organisation, but continually companies fail to use their staff to combat cyber-attacks.
Adversaries, including cyber criminals, nation-states, and hacktivists, are actively targeting employees, and by not encouraging users to report suspicious emails, organisations are missing a huge opportunity to gather vital information about threats. Developing a formal process for users to report suspicious emails provides real-time threat information, and allows for improved response and mitigation activities. Still, many organisations resist encouraging user response, citing a variety of reasons for not doing so, including a lack of manpower to process reports and a belief that there is limited value in user reporting anyway.
However, encouraging user reporting is not only beneficial, but can be done in a manner that avoids the common pitfalls and doesn’t substantially tax your staff.
What are the benefits?
Encouraging your users to report suspicious emails is akin to literally adding thousands of new sensors to your network. Upon receiving a report of a suspicious email administrators can initiate reactive response controls such as removing similar emails from users’ inboxes, redirecting and capturing command and control traffic, and blocking outbound traffic at your gateway. In the event of a compromise, you are able to more quickly and more effectively contain the damage.
Once user reporting becomes part of your culture, it will provide actionable data. Tracking the reports sent by individual users allows you to increase monitoring on certain machines as well as recognize users who provide valuable reporting data.
Can my users really provide useful information?
Many security administrators take the mistaken view that their users can’t be a source of valuable information. In my experience, most users want to do the right thing, but they haven’t been given enough information about what to look for or what to do if they receive something suspicious. By educating them on how to recognize the typical signs of a phishing email, and establishing a simple process for reporting, your user base can become a line of defense that is more effective than all of your technology.
Pitfalls to avoid
Security officers who understand the potential value of user reporting can still be tripped up by making some of the common mistakes that will derail user reporting:
* Making the process too complicated. By encouraging user reporting, we are asking employees to go beyond their normal job duties, so we need to make the process as simple as possible. The best way to do this is to have one email address for all suspicious emails – don’t make users discriminate between spam and phishing – and make that address well-known to all users.
* Poor communication. Simply put, if users don’t know why they should report emails, where to report them, and which emails to report, a program will probably fail. Educating users about the risks malicious emails pose, as well as how user reporting benefits security, will help motivate users to participate.
* Users should know what to expect when reporting an email. Will someone respond to their report? Likewise, communicating that no one will be punished for reporting that they clicked on something, is crucial. If employees fear they may lose their job, they will avoid reporting.
*As we all know, in the event of an incident, a quick response can dramatically limit the damage, so ensuring that employees know there will be no negative consequences for reporting – even if they may have compromised the network – greatly enhances the benefits of user reporting. When employees do report suspicious activity, recognize them publicly for a job well done.
*Failing to take advantage of technology and staff. A culture of user reporting gives us a bevy of data to analyze – some of it’s useful, some it isn’t – and it’s important to properly manage the data we receive from the process. If you have a SIEM you should use it to manage the data you receive, and allow the IR team to respond to legitimate incidents.
The ultimate goal should be to make user reporting part of your organization’s culture, with IT employees valuing information received from users, and users understanding the important role they can play in security. An organization that has this kind of culture will be able to respond faster and more effectively to emerging threats.
About the Author:
Aaron Higbee | Co-Founder and CTO of PhishMe | www.phishme.com
Aaron is the Co-Founder and CTO of PhishMe, Inc. directing all aspects of development and research that drives the feature set of this market leading solution. The PhishMe method for awareness training was incubated from consulting services provided by Intrepidus Group, a company that Aaron Co-Founded with Rohyt Belani in 2007.[+] Aaron remains on the board of directors for Intrepidus Group to ensure it focuses on forging new service lines and attracting motivated researchers and consultants.
Before PhishMe and Intrepidus Group, Aaron served as Principal Consultant for McAfee’s Foundstone division where he was a lead instructor and known for his ability to mentor and develop junior consultants into expert penetration testers. Prior to his seven years of consulting experience, Aaron worked for large Internet Service Providers handling security and abuse incidents, subpoena compliance, and datacenter security. Aaron’s biggest achievement is building industry recognized Intrepidus Group and incubating PhishMe out of it.
He enjoys the diverse personalities in the information security community and is known for building creative environments needed to promote rich personal and professional development. His creative touch is evident in the unique way he recruits and retains talent and his style further extends itself into his leadership role at PhishMe. Aaron is a speaker at regional conferences and associations as well as large conferences such as BlackHat, DefCon, Shmoocon, etc. His expert opinion is a valuable resource for many media outlets interested in security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.