“I just delete” is a common refrain with users who receive phishing email attempts. While deleting a message is safer than interacting with the sender or clicking links, deleting without reporting the message is not the safest strategy for an organization. Reporting suspicious cyber activity allows those in charge of security to be informed and mitigate threats.
“Don’t click”, “Don’t respond”, and “Don’t enter credentials” are critical lessons for all users. But realistically, when more than one person is targeted by a scam, someone clicks or responds or enters credentials. Emphasizing reporting threats via a clear and simple method catches the inevitable mistakes.
Ongoing training which continues to emphasize and even reward reporting threats benefits the organization, by allowing the threat to be more quickly identified and mitigated. If at least one person reports a suspected scam attempt, the organization has an opportunity to investigate and potentially minimize the damage with steps such as deleting the email from all users’ inboxes, verifying who clicked, verify who entered credentials, change passwords, and more. In addition, emphasizing reporting conveys that users have a valuable role in securing the organization. If the message to users is “just delete” the message is essentially “it’s not that important”. If the message to users is “always report” then the potentially serious consequences of scams are conveyed.
To track improvements in reporting, consider the concept of the report rate: Total Number of Reports of a situation divided by the Total Number of Victims of the situation.
Report Rate Examples:
People targeted: 2. Fell for scam: 1. Reported scam: 0. Report rate 0/1 = 0
vs
People targeted: 2; Fell for scam: 1; Reported scam: 1. Report rate = 1/1 = 1
Note that the report rate measures the value of reporting incidents, even if the person who reported the incident is the same person who fell for the scam. This is another message to emphasize: reporting is ALWAYS appreciated, regardless of whether or not the person who reports has already made a mistake.
Though a report rate greater than 1, with an increase in the report rate over time shows cybersecurity improvement, the following shows why a report rate of at least 1 is a solid minimum goal:
People targeted: 1; Fell for scam: 1; Reported scam: 1. Report rate = 1/1 = 1
“Always report” only works if something happens when people report attempts. Consider reporting methods that show a response thanking the user, encouraging them to continue reporting potential threats, and mentioning that someone will investigate the reported threat and mitigate it. Other ways to acknowledge reporting may include a report rate contest among buildings or groups, a “catch of the month/quarter/etc.” award, sharing report data and threat mitigations in cybersecurity communications, etc.
In real incidents, the risks grow after the initial compromise; reporting at any point, even after the incident begins, and even if the reporter caused the incident, gives responders an opportunity to reduce the scope of the damage.