Employees are reporting more suspicious emails, according to a new report by F-Secure. The report says that the emails included everything from suspicious links and attachments to phishing and spam. Automated systems dealt with 99% of the emails reported with the remaining 1% of emails investigated manually. Those showed that 63% were phishing emails which suggests that while automation saves time it still needs improving.
Riaan Naud, Director of Consulting at F-Secure, said: “You often hear that people are security’s weak link. That’s very cynical and doesn’t consider the benefits of using a company’s workforce as a first line of defense. Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results.”
Naude continued: “Manual triage is clearly a burden, and reporting emails initiates this triage process, regardless of whether or not the email is an actual threat. It’s clearly one of those areas where experts need tech to help them scale existing knowledge and skills.”
What do we learn from this report?
Quite a bit. The first is that employees are increasingly reporting suspicious emails as companies stop making the process difficult. One reason for this increase in reporting is likely to be the use of automation. It doesn’t judge employees or question their reports. It simply takes the report and acts on it. Freeing up employees to report suspicious emails can only be a positive for any organisation. Importantly, it also improves the security culture of the business.
In number terms, the reasons employees reported emails were:
- 59% were suspicious links
- 54% incorrect or unexpected sender
- 37% spam
- 34% social engineering (phishing)
- 7% suspicious attachment
What are the reasons why employees felt emails needed investigating? Among the most common words that got attention were:
- Click here
- Please click
Other high-risk words and phrases that were identified included:
- Amount of USD
- Message is from a trusted
- Your funds has
The power of automated email triage
The number of email reports per 1,000 employees is 116 emails per month. Interestingly, the report says that the number scales linearly as the number of employees increases. It suggests more investigation is required into reporting levels. The level of reporting has an impact on support teams and the time taken to deal with the problem.
According to F-Secure:
- Experienced security teams take 15 minutes to an hour to investigate a report. That equates to 29-116 hours per month for a company with 1,000 employees.
- Inexperienced/understaffed teams can take up to 5 hours per email to investigate. While there is no lower figure, 5 hours per month equates to a whopping 580 hours per month which would mean almost four full-time employees doing nothing but triaging email.
It is no surprise, therefore, that F-Secure looked at the time saved by automation. By using automation to deal with 99% of the reported emails, the time impact on support teams drops to as little as 17 minutes and, in the case of an inexperienced/understaffed team 5.8 hours. It is a significant saving that can only really be described as game-changing for many organisations.
However, there is a caveat. In the 1% of emails that were manually investigated, 63% were rated as phishing. Scale that up to 100% and the number far exceeds that detected by the automation. It shows that there is clearly work to be done to increase the accuracy of the automated system. Given additional training, how much more effective can the automated systems become?
Enterprise Times: What does this mean
It is all too common to see users blamed for being the weakest part of any security. However, the failure to establish a security culture or train people properly are far bigger causes of security failures. This report shows that it is possible to improve employee reporting of suspicious emails but to do so requires change.
The change here is to move away from manual processing of all reports and use greater automation. It removes the frustration of support teams that users are overloading their working day and allows users to send reports without fear of being judged.
It will be interesting to see how this develops over time and whether other vendors can substantiate the numbers in this report. If so, we might finally be getting to a point where users become a really effective first line of cybersecurity defence.