People are by far the greatest asset in any organisation, but companies consistently fail to appropriately use their staff to combat cyber attacks.
Adversaries, including cyber criminals, nation-states, and hacktivists, are actively targeting employees and by not encouraging users to report suspicious emails, organisations are missing a huge opportunity to gather vital information about threats. Developing a formal process for users to report suspicious emails provides real-time threat information, helping to improve both response and mitigation strategies.
However, many organisations still resist encouraging user response, citing a variety of reasons for not doing so. These include a lack of manpower to process reports and a belief that there is limited value in user reporting.
On the contrary, encouraging user reporting is not only beneficial, but it can be done in a manner that avoids the common traps and doesn't substantially tax your workforce.
What are the benefits?
Encouraging staff to report suspicious emails can be akin to adding thousands of new sensors to your network. Upon receiving a report of a suspicious email, administrators can initiate reactive response controls such as removing similar emails from users' inboxes, redirecting and capturing command and control traffic, and blocking outbound traffic at your gateway. In the event of a compromise, you will be able to contain the damage more quickly and effectively.
Once user reporting becomes a part of your company's culture, it will provide actionable data. Tracking the incidents reported by individual users allows you to increase monitoring on certain machines, as well as recognise users who provide valuable reporting information.
Can my users really provide useful information?
Many security administrators have the view that their users can't be a source of valuable information. In my experience, most users genuinely want to do the right thing but simply haven't been given enough information about what to look out for, or what to do if they receive something suspicious.
By educating them on how to identify the typical signs of a phishing email and establishing a simple process for reporting, your user base can become an even stronger line of defence than your technology.
Pitfalls to avoid
Be warned though, security officers who understand the potential value of user reporting can still be tripped up by making some common mistakes that can derail user reporting. The first is making the process too complicated. By encouraging user reporting, we are asking employees to go beyond their normal job duties, so the process needs to be made as simple as possible. The best way to do this is to have one email address for all suspicious emails – don't discriminate between spam and phishing – and to make that address well-known to everybody.
Poor communication is another issue; if users don't know why they should report emails, where to report them, and which emails to report, a programme will likely fail. Educating staff about the risks posed by malicious emails, as well as how user reporting benefits security, will help motivate participation.
Also problematic are unclear response procedures and fear. How and when will someone respond to user reports? In the event of an incident a quick response can dramatically limit the damage, so ensuring that employees know there will be no negative consequences for reporting – even if they may have compromised the network – is an important step. When employees do report suspicious activities, recognising them publicly and positively can be reassuring.
Finally, failing to simultaneously take advantage of technology and staff can be a real problem. A culture of user reporting provides a mass of data to analyse, and it is important to properly manage this data. If your company has a SIEM (Security Information and Event Management) system, you should use it to manage the data you receive, and allow the IR team to respond to legitimate incidents.
The ultimate goal should be to make user reporting part of your organisation's culture, with IT employees valuing information received from users, and users understanding the important role they can play in security. An organisation with this kind of culture will be able to respond to emerging threats more efficiently.
Aaron Higbee is the chief technology officer and founder of PhishMe, an American company that provides security training to other organisations by carrying out controlled, customised spear phishing simulations.