How long does it take a phishing or ransomware attack to be reported within your organisation?
If you think about any of the key trends in the cyber security world in the last few years, you can see that threats like CFO scams, state sponsored attacks, ransomware, and plain old fraud have a phishing attack at its core. It still represents 95% of all data breaches and is a major aspect of the cyber criminals kill chain.
As an industry, technology vendors keep providing users with new mediums to communicate and new services to consume. Each one changes the game and provides another threat surface for you to defend against.
So, let’s say you have trained your staff, got them to sign policies and maybe even ran a simulated phishing email campaign internally. Firstly, congratulations. This is best practice by far and you will have changed user behaviour. Of this there is no doubt.
People will be more sensitised to the cyber security threats that you need to avoid and there will be an immediate increase in the amount of reported possible phishing incidents internally.
But where can staff report these cyber incidents? A quick way to do this, is to have staff send the suspicious email to a central source. Another option is to have staff contact the internal help desk for advice. However, without a proper reporting structure in place, staff may be unsure of how to deal effectively with this threat.
If time permits, the suspicious emails may be looked at straight away or if there is no monitoring system in place, it may fall into a black hole. Without some official analysis there is no mitigation and that puts a liability on management.
It’s a balance between what you can afford and how much time you must devote to the incident. Really what you should do is create an incident case for each suspicious email that is deemed to be valid. This means doing some triage upfront. However, from a compliance perspective your actions should be documented in the event of a real phishing attack as it could lead to a data breach and the subsequent “post-match review”!
The bottom line is how you respond to suspicious emails is just as important as getting people to identify their threat.