How do you leverage the lessons learned from a cyber incident to improve your security awareness and culture?

The above paragraphs conflate several types of reporting. One is the report that initiates incident response. This typically is from either automated tools (SIEM, XDR, etc) or a user reporting an incoming attempt or being informed from a client that their account is compromised. Any rules for this are decided within the company, often from HR and senior leadership. Next is the company reporting a cyber incident to stakeholders or authorities. This deals with legal and contractual obligations, etc. There's also a third level of reporting not really mentioned here: Reporting to companies victimized by a cyber event, and to agencies for aggregate data collection. This level promotes good stewardship and helps reduce the attack against others.

Much of the above should already be detailed in your organization's incident response plan. Most companies just think of "How do we protect ourselves and our customers," though. When possible, reporting to others also helps you. Notifying a vendor or contractor about their employee's BEC email allows that company to initiate their IR plan and strengthens your relationship with them. Notifying a publishing site or internet register about a URL-laundering PDF or malicious site allows them to take action thus protecting other potential victims. Reporting to investigative bodies (like FBI's IC3 site in the US) allows researchers to connect macro trends and stop organized actors.

Cyber Incidents are great opportunities to improve awareness and motivate people to think about security. Experience taught us you may never know what happened as a root cause, first foothold. Have a well documented Incident Response Plan, Have Lawyers and Security Forensics teams on retainers. Communicate publicly as required, as openly as lawyers suggest. Ensure "Need to know" and "Attorney Client Privilege" designations on response plan notes, reports, related information. If an incident is well communicated, reasonable response actions taken, and restitution offered to victims, most people see it as a positive experience and part of doing business in today's world. Incidents highlight security importance, take advantage.

In our organization, we created an internal blog where we would anonymize and post annotated screenshots of the emails, redirection pages (URL laundering), and fake login pages. The goal of this is to show our folks how to look critically at these items, so they could identify and report such items in the future. Positive encouragement is paramount to foster that internal reporting and initiate your response plans. Even when a user sends in a perfectly legitimate email, thank them for having us verify the source. One person reporting may lead to the discovery that another recipient thought the source email was real. Finding this out early in the IR process leads to far less damage done.