Security officers who understand the potential value of user reporting can still be tripped up by making some of the common mistakes that will derail user reporting:
- Making the process too complicated. By encouraging user reporting, we are asking employees to go beyond their normal job duties, so we need to make the process as simple as possible. The best way to do this is to have one email address for all suspicious emails – don’t make users discriminate between spam and phishing – and make that address well-known to all users.
- Poor communication. Simply put, if users don’t know why they should report emails, where to report them, and which emails to report, a program will probably fail. Educating users about the risks malicious emails pose, as well as how user reporting benefits security, will help motivate users to participate.
- Users should know what to expect when reporting an email. Will someone respond to their report? Likewise, communicating that no one will be punished for reporting that they clicked on something, is crucial. If employees fear they may lose their job, they will avoid reporting.
- As we all know, in the event of an incident, a quick response can dramatically limit the damage, so ensuring that employees know there will be no negative consequences for reporting – even if they may have compromised the network – greatly enhances the benefits of user reporting. When employees do report suspicious activity, recognize them publicly for a job well done.
- Failing to take advantage of technology and staff. A culture of user reporting gives us a bevy of data to analyze – some of it’s useful, some it isn’t – and it’s important to properly manage the data we receive from the process. If you have a SIEM you should use it to manage the data you receive, and allow the IR team to respond to legitimate incidents.