The basics of any security awareness campaign will include the dangers of the phishing attack. Whether via email or text message, more users are becoming familiar with these attempts to trick them into clicking, downloading, or logging in to hack them. However, one aspect to improving security is teaching employees the importance of reporting any identified attempts or accidental clicks.
Reporting Builds More Informed Security
Reporting a suspicious link - even if uncertain - contributes to better informed security teams who can adjust defenses as needed. Plus, tracking reporting trends in an organization also provides good insights for the security awareness team to assess the impact of their programs.
What are some suspicious incidents to communicate to employees to report?
- Mouse moving without the user physically touching it
- Random browser pop-ups or toolbars the employee didn't add
- Ransom messages
- Phishing emails or texts - even if they are certain it's malicious
Wizer's latest video can help jumpstart that awareness:
Include Employees as Part of the Incident Response Team
Through communicating the value an employee provides when they report suspicious activity can create ownership for security across the organization. Increased reporting provides better insights for security teams and strengthens its ability to respond quicker to minimize risk.
In sharing insights from their own successes in building a strong security culture, Dennis Legori and Paula West shared the importance of helping employees understand the stages of reporting. Even if an employee accidentally clicks on a phishing link, there are still remediations that can be implemented to reduce impact as long as the employee communicates as soon as possible.
"There's all these points where you can act to stop things from happening...looking at business email compromise, there are 10 steps from someone researching [a target] to someone actually compromising a system, Steps 2-10 there's a spot along the way at every one of those steps for a human to say "wait, somethings off" and report it at that point and make a huge difference. I think it's important knowing that it's not just 'an event', it's multiple places that you can interject and turn things around." - Paula West, Carrier
Security Culture Affects Reporting
In the past, the trend was to 'motivate' employees to adopt safe practice through penalizing the individual in some fashion. However, it's rarely effective and cultivates resentment as opposed to adoption. For employees to feel confident in reporting an incident, they must not only understand the importance, but also feel comfortable doing so. It's crucial to ensure employees know their actions are contributing positively to a security incident, regardless if they made a mistake by clicking or engaging.
While it should go without saying, part of ensuring confidence in reporting simply lies in the communication of what the steps are for your employees to report. Is there a phishing button they should use? Send an email to the security team or a particular individual? Being clear on the where and how will reduce barriers for reporting and give confidence.
General ReportingWizer Phish Alert Button Allows end-users forward potential phishing emails to your internal security team for analysis, making it easy for the employees and your admin.
- Report it to the Anti-Phishing Working Group (APWG) by forwarding the phishing email to email@example.com.
- Report it to Google - you can report the URL and submit it to Google SafeBrowsing.
- Report it to the Federal Trade Commission, here you can report any scams.
Whether through internal reporting or reporting to public entities, building a habit of reporting is beneficial to everyone.