Editor's Note: This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic Nudging Towards Security.
The earlier posts have highlighted why it is important for security to be proactive and easy for employees. We looked at two nudges that can help us in achieving this. In this blog post we will look at another one. This ?Nudge' focusses on security being easy. An organization's capability to respond to phishing attacks depends on (among other things) how soon the security team knows about the attack. The security team deploys tools and technologies to stop such emails, but some emails still reach the user's inbox. My first post highlighted how we can tag all external emails so that users can identify phishing emails easily. But is identifying and deleting that email by employee the end of it?
Don't we want people to report such emails to the incident response team so that they can analyze how that email managed to get in, the extent of damage it could do, identify if other people got such email etc.? Wouldn't it be good if all people reported suspicious emails to the IR team as soon as they see it? But how often does that happen? One reason for this is the process of reporting emails. Often people are not sure how to report it, the process is cumbersome, they don't know whom to report it to and they are not sure of the consequences (good or bad) of reporting. It's a bit too much to ask from people who have their day to day work to tend to.
Technology comes to the rescue again! Microsoft Outlook has a lot of customization options. With features like plug-ins and a little customization we can get a ?button' on the Outlook home screen and this button can do pretty much whatever we want it to do. A simple click on this button can forward any email to a specified mailbox and delete the email after this has been done. Pretty neat and simple! So, if an employee receives a spam or a phishing email they just have to click that button on top of their Outlook screen and that's it, their job is done.
There is some effort involved in writing the code for the plug-in, testing and implementing it, but once done and once the employees are taught well enough about the button, the rest can be easy. No one has to remember anything; the button is right on top of our screen. When people report suspicious emails using this button, there could be an instant feedback (another teachable moment!). If an organization feels they don't have the time to get this developed in-house or they don't want to spend the effort, a lot of security awareness companies are providing this capability along with other services.
Speaker Bio: Sahil leads the security awareness, training and culture change initiatives at Genpact. He is a B.Tech, MBA and has done courses on Social Psychology, Behavior Economics, marketing and branding. At present, he is helping Genpact information security team to look at the problem from a people perspective. He has also worked with other IT giants like Infosys and HCL Technologies in the past.