In most organizations, a user who can identify and delete phishing emails is considered a huge asset.
And, let’s be honest, they’re certainly a big step in the right direction. Users who can’t spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.
But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.
Want to know how reported phishing emails can be used to quickly identify and stop attacks that would otherwise go undetected? Register for our free on-demand webinar, hosted by PhishLabs Founder and Chief Technology Officer John LaCour.
The Biggest Asset You Don’t Have (Yet)
If you don’t want users to delete suspected phishing emails, what do you want them to do?
Simple: Report them.
Whenever one of your users receives an email they believe may be malicious, they should have a simple means of bringing it to the attention of your security team. And when we say simple, we mean really simple. Like clicking one button simple. There are of course additional methods such as forwarding or attaching and forwarding the suspicious emails, too.
Once you establish this type of system a lot of suspected phish will be reported. And yes, many of those could be false alarms or simply spam that somehow evaded your filter; however, the positives outweigh these drawbacks in a big way.
Here are just a few of the benefits you’ll gain:
1) Measuring Risk
Let’s be honest, phishing is a problem for every organization. But how much of a problem it is for your organization?
Unless you have a reporting system, it’s almost impossible to know. If your users simply delete phishing emails on sight, you have no way of knowing how regularly users are faced with this challenge.
Even if you could somehow track deleted phishing emails, what about those emails that are never read? Or those which are quickly skipped over in favor of more urgent alternatives?
In order to truly judge how much of a threat phishing poses to your organization, you must be able to track the approximate number of malicious emails your organization receives in an average month. Convincing users to report suspected phish instead deleting them is a simple means of achieving this clarity.
2) Understanding Your Attacker
Of course, volume isn’t everything. It’s equally important to understand which areas of your organization are most frequently targeted, and the types of phishing emails typically used.
Why? Because not all users are made equal. A sophisticated BEC scam targeting members of your payments team could cost your business far more than a more basic phish targeting your administrative staff.
Once again, providing your users with a simple way to report suspected phish can be a game changer here. Understanding where and how your organization is targeted a huge step toward mitigating the problem.
3) Belt and Braces
If there are any inalienable truths in security, this is one: People will make mistakes.
No matter how good your training program, or how motivated your users are, or how seriously everybody takes security… mistakes will still happen.
Not even analysts and CISOs are perfect. On a bad day, when you’re checking your email while rushing between meetings, even you might fall for the right phish at the wrong time.
So how do reported phishing emails help solve this problem? Simple: They give you a warning period.
Most phishing emails aren’t sent in isolation. If one of your users receives a phish, there’s a good chance plenty of other users have also received it. If just one of those users hits the report button in a timely manner, you have a golden opportunity to identify and quarantine the rest before any harm is done.
On the flip side, if you don’t have a reporting program, even if 99 percent of your users spot and delete a phishing email, the remaining one percent could endanger your entire organization.
4) Tightening Security Controls
Of course, your use of reported phishing emails isn’t limited to incident response. In fact, one of the best uses for reported phish is to inform improvements to your preventative controls.
Spam filters, content filters, firewalls, you name it; the intelligence you garner by analyzing reported phishing emails and their payloads will help you progressively tighten the net on incoming phish over time.
5) Solidify Learning
One of the hardest things about security training is keeping your lessons at the top of users’ minds. They may walk out of your training sessions with the best of intentions, but time and busy schedules will gradually wear them down.
But here’s the thing. The more often your lessons are reinforced, the more likely they are to stick in users’ minds. And in this area, the reporting process can play a key role.
Whenever one of your users reports a suspected phish, we recommend they see a short message reminding them why it was so important to do so.
It doesn’t have to be anything fancy. A simple “this email has been reported to the security team. Thanks for helping to keep our organization safe!” will do fine.
All you’re trying to do is give the user an easy win, and remind them that this isn’t just a meaningless process. It’s essential to the long-term security of their organization.
This might seem insignificant, but trust us, it isn’t. Try it and see for yourself.
6) Tracking Performance
Tracking the performance of security training programs may not be the most exciting way to spend your time, but it is an essential component of any long-term program. If you can’t evidence the effectiveness of your program, you’ll have a great ideal trouble retaining funding.
As we’ve already mentioned, deleted or ignored phishing emails can’t be tracked. Without, a reporting system you won’t know how many phish you’re receiving, and you’ll also have no idea what happens to them after they reach user inboxes.
Worse still, you’ll have no way at all to prove your program is making a difference to those numbers.
7) Simulated Phish
If you’re serious about fighting the threat posed by phishing, there is no better way to prepare your users than by creating and distributing your own realistic phishing simulations. We’ve written about this a lot in the past, so if you’ve been following the blog for more than a few days you’ll already know all about our recommendations in this area.
But where do these simulated phish come from? Should you simply make them up, and hope they vaguely resemble real-world phishing emails?
No, truly powerful simulations are informed by one simple process: Capturing and analyzing real phishing emails received by your organization. Seems obvious now, right?
And the only way to ensure you have enough real-world samples to work from is to provide your users with the skills, knowledge, and tools they need to consistently identify and report phishing emails.
Want To Know More?
Phishing is the #1 threat faced by organizations all over the world. Almost every high profile breach you read about in the newspapers includes a phishing component somewhere along the line.
To find out what you can do to mitigate the threat posed by phishing, register for our free on-demand webinar: Best Practices for Enterprise Phishing Protection
This is a Security Bloggers Network syndicated blog post authored by Dane Boyd. Read the original post at: The PhishLabs Blog