When your employees and team report suspicious emails, it’s an indicator that the security awareness training in place is having a positive effect.
Regardless of the email being spam or legitimate, just a single thwarted attack can make the difference between a slight headache or irreparable financial damage. However, this process is a two-way street, and timely analysis of said reported email is important for several reasons, especially for risk mitigation and improving training effectiveness.
To drive home how important the timely analysis of reported emails is we spoke to our Founder and CTO, John LaCour.
Analysis Now Reduces Risk
Q: What is the ideal model for handling suspicious emails after they are reported?
A: When suspicious emails land in user mailboxes, that's an opportunity to leverage users as part of your detection network. So our recommendation is to train users to submit those suspicious emails to your IT security analyst function, analyze those emails to understand what sort of attacks are being sent to your organization, pull them apart, and then use that to improve the counter defenses that you have in place, such as your firewalls, content filtering, and other technology.
Q: What, if any, level of risk is introduced when not immediately analyzing suspicious emails and are there any benefits to a delayed analysis?
A: When you introduce a delay in that analysis you are basically making a bet that you are going to get around to analyzing them and updating your defenses or removing malicious emails before the attackers can wreak havoc. And depending on the nature of the attack, it may be something that is automated, like ransomware, and so it really is a race against the clock. So it is absolutely important that you have the capability to review those submitted emails on a 24/7 basis as quickly as possible.
Q: How much effort typically goes into analyzing each suspicious email?
A: The amount of effort that it takes to analyze those reported emails really varies tremendously. It's one of the challenges of implementing this sort of program. You need to have cyber security experts and analysts who can deal with things like malware and other sophisticated attacks, but realize that a good number of the percentage of reports will be spam or maybe low-level attacks 419 scams. The level of effort is going to vary dramatically, and you are going to need to be able to have the right people, who can handle both ends of that spectrum.
A Faster Feedback Loop
Q: Is following up with the reporter important, and if so, why?
A: It is absolutely important that you follow up with those reporters of suspicious emails. Your asking your users to help your IT security department by identifying those emails which have gotten through your defenses, and if you don't give them any feedback they will start to wonder if they should take the time and effort to send those emails in, they will wonder if you are even looking at them, or are they just going into a black hole. So you really want to encourage that positive behavior of providing feedback to your users.