I've posted several times about the tremendous value of an active phishing assessment program. Not only does it result in effective behavior change, but based on my experience phishing assessments are positive and a highly engaging way to reach people. In may ways it becomes a challenge of who can 'spot the phish' first, gamifying your awareness training. The one issue that caught me by surprise was how it can become almost too effective. Your security team, NOC, SOC or help desk may become overwhelmed with people reporting every phish or spam that gets through your organization's mail filters. Just as with an IDS sensor, your human sensors may need a bit of tuning. Here is an effective policy I've seen work.
- If you get a phishing email and you know it is a phish, simply delete it.
- If you get a phishing email and fell victim to it, report it.
- If you get an email and you are not sure if it is a phish or not, report it.
Thats it, simple but effective. This eliminates most of the noise you do not care about (common scams and phishes) but focuses on critical issues (i.e. there has been an incident or more a more sophisticated attack). If you have any secrets you would like to share, let us know!