Just a day after we recognized the 35th anniversary of that first mass marketing email that Gary Thuerk sent to about 400 users of ARPANET news spread of the Commtouch Internet Threats Trend Report for the first quarter of 2013 was released that claimed around the world an average of 97.4 billion spam emails were sent each day. That is quite a bit of junk mail.
Now any organization with a good anti-spam solution in place, notice I said good, will see a great deal of these messages filtered out because their technological controls will spot these illicit messages and sent them directly to the spam folder.
But what about those messages that make it through? Criminal organizations, and individuals, who send spam are constantly working to circumvent these technical controls so that their messages make it into their victims’ inboxes.
In addition to your technical controls, your organization should be teaching your users the basics about spam and phishing. Organizations who are serious about supplementing their anti-spam solution with a human element should make sure that their users know the following:
Why malicious emails are so dangerous
Most users aren’t quite clear as to the problems caused by spam and phishing attacks. They don’t know that by clicking on that link they could be going to a web site that infects their computer with malware. They don’t know that most Advanced Persistent Threats use email as the manner in which they establish a foothold in the organization’s network. Most aren’t even aware of what an Advanced Persistent Threat is despite the term being thrown about in the wake of recent attacks. Without first understanding how dangerous these threats can be users may not take the rest of their education seriously.
How to spot a malicious email
Whether the email is a marketing email that is more annoying than dangerous or a spear phishing email that is loaded with malicious attachments or links users need to know how to spot the common characteristics used by these threats. Teaching them to spot a malicious email or any security threat for that matter, gives the rest of your education program, and your security program, a solid foundation in which to work from.
What to do with a malicious email
Different organizations have different policies for dealing with spam and phishing emails. Some instruct their employees not to interact with a suspicious email, but instead to simply delete it. Others may have the employee identify the email as such so that the anti-spam filter can analyze it to learn its patterns. Others may have employees forward the email to an address in the organization’s IT security department. Whatever course of action your organization takes, make sure that people know what it is.
Who to tell if they fell victim to an attack
Most users are embarrassed if they realize that they have fallen for a phishing scam, especially at work. Whether they fear ridicule from their manager, or simply fear for their job, when these problems go unreported it allows the threat to gain a foothold in the organization’s network and gives them time to identify confidential assets that they can compromise. When users are safe to report, and know how to report, if they have fallen for a suspicious email it gives IT security time to deal with the breach and possibly mitigate any losses as a result. It also helps the organization’s reputation with the public when it is disclosed that yes there was a breach but it was immediately contained and no data/resources were stolen.
Technical controls used to secure email have improved greatly over the years, and some offerings are even geared towards the management capabilities of the small to medium sized enterprise and abandoning the old one size, and one price, fits all mentality. But there needs to be an additional layer that supports the anti-spam filter and that layer is the employees themselves.