Back to Blog
Last name shrinkit6/11/2023 Reporting phishing is great, unless the IT staff gets overwhelmed. What good is newfound knowledge if it can't be put to use? When the reporting mechanism is a button on email toolbars - one click and done - it’s not hard to recruit agents for a homegrown intel network. If users have a way to act, they’re more likely to be alert. Studies show that as reporting increases, susceptibility drops. When a malicious email slithers through and lands in user inboxes, IT managers will be glad for trained employees who greet it with skeptical eyes.Īnother advantage of email reporting: Engaged employees are vigilant employees. Also remember that email gateways don’t catch every threat. True, most reported emails will prove benign, but it only takes one successful phishing attempt to bring an agency to its knees. If employees have an easy way to report suspicious emails, the security operations center will get a steady stream of front-line threat intelligence. The best programs start with basic scams and work up to sneakier attacks, such as a message appearing to come from HR and parroting agency-speak. The latter often comes as phishing simulations, where agencies educate employees to the dangers of phishing, then send out mock phishes to keep staff on their toes. Phishing awareness efforts come in many flavors, from the posters that pop up during Security Awareness Month to regular and rigorous training exercises. According to a report from Cofense, two of the most effective phishing subject lines are “Free Coffee” and “Package Delivery.” When users are aware of their reactions, they’re more security-aware. A sense of fun or curiosity is another emotion attackers exploit. It pulses from emails imploring the recipient to act right away - maybe to wire funds to a “vendor” by 3 p.m. Urgency is often used in phishing schemes. A good way to start is making users aware of “how they feel” whenever they read an email. That’s hardly enough time to educate users on phishing in all its disguises. Most government agencies require security awareness training, but it often covers phishing in five or 10 minutes. Here are some tips for running a user-powered program. It’s information the IT team can use to find threats faster. With the right training, employees can learn to spot and report all types of phishing. Among other things, they’ve uncovered numerous advanced persistent threats.Ĭrowdsourcing works internally, too. Under it, contractors share threat information among themselves and with DOD. A good example is the Department of Defense’s Cyber Security/Information Assurance Program. This kind of crowdsourced security has gained traction in recent years, though most practitioners share data across organizations, not within them. Imagine transforming users into human sensors that report suspicious emails as nuggets of valuable intelligence. What can agencies do about it? One answer is taking advantage of the employees that phishing attackers target every day. When it’s that easy to succeed, attackers will keep coming. Criminals can double that performance metric just by hitting send. That may not sound like much, but consider that in marketing campaigns, a 2 percent response is stellar. And 4 percent of employees will click on “any given phishing campaign,” Verizon found. Moreover, 68 percent of breaches take months or longer to discover. The report revealed that when malware is found, one-quarter of the instances are ransomware. Threats delivered by phishing emails are growing, including at government agencies that guard sensitive information like tax records or highly classified national security files. The news (shocker) wasn’t good, all across the board. Recently, Verizon released its 2018 Data Breach Investigations Report.
0 Comments
Read More
Leave a Reply. |