A recent online poll conducted by the anti-phishing solution provider PhishLabs has revealed a considerable cybersecurity gap exists at many organizations.
While most companies now have solutions in place to block spam and malicious emails, those solutions rarely block every unwanted email. Many spam emails are still delivered. Some of those emails will contain malware and links to phishing websites. It is for this reason that it is essential for employees to receive training to help them identify malicious emails. Companies that provide training to staff can greatly improve their organization’s security posture.
The PhishLabs poll was a simple question, yet it provided valuable insights into what is happening in many organizations. PhishLabs asked, “What happens to suspicious emails that get reported to IT by your users in your workplace?”
Alarmingly, 18% of respondents said employees do not report emails to their IT departments. If employees are simply trained how to recognize phishing emails, and it is left to them to delete the messages, their employers are taking a big risk. If one email has been delivered to an end user, there is a high probability that others in the organization will also have the same email in their inboxes. Those other employees may not be quite so good at recognizing malicious emails. One could well open the attachment or click on a malicious link and reveal their login credentials.
Reporting the emails to the IT department allows action to be taken. The potential threat can be investigated, and if the email is malicious, it can be deleted from all inboxes. If it is just spam, it can be used to help tweak spam filter settings to ensure future messages of that ilk, or from that domain or sender, are not delivered.
The poll also shows just 18% of IT departments analyze reported emails immediately. If reported emails are not investigated immediately, other employees who also received the email could easily fall victim to phishing attacks.
Another interesting statistic is 45% of end users who are asked to report emails to their IT department don’t know what happens to the emails that they report. If no feedback is provided, or staff are not told what happens when they report malicious emails, it could well reduce engagement. Employees may think there is no point in reporting emails if nothing ever happens.