It was an initiative that most IT security professionals might consider, but ultimately shelve due to the complexity involved in setup alone: implement a monthly phishing awareness campaign for a municipality, not for just a select group of employees, but every worker on the payroll.
It took a great deal of planning and behind-the-scenes maneuvering, but as Richard Drouillard, manager of security and risk with the municipality of Chatham-Kent, said last week at InfoSec 2022, an event organized by the Ontario division of the Municipal Information Systems Association (MISA), it has all been worth it.
In the conference show guide, he wrote that he has “spent the last two years with a very intentional focus on phishing awareness for my organization. Over that time, I have analyzed the results, played with the variables, had some hard conversations, and learned quite a bit about what works and what doesn’t.
“All of us are doing what we can to fight cyberattacks in our organization, and it’s essential for those who work in municipal IT to learn from each other.”
Drouillard, who has been at Chatham-Kent in an assortment of IT positions for 17 years, assumed his current position in 2020.
“I’ve worked in a lot of different roles in IT,” he said. “I’ve been a developer, a database administrator, a JD Edwards administrator, a project manager. I’ve also done a few months in our GIS department. And I’ve done a few months managing our service desk. I’ve worked in every team in our IT department at some point or another, which I think gives someone a really good background for working cybersecurity.
“We are all at this conference, so I don’t think I need to explain why I started my focus on phishing,” said Drouillard, adding that prior to his taking on the new role, the municipality, similar to many other organizations, had merely conducted one-off phishing simulations.
“You did one or two a year, and there was not a lot of follow up after they were done. You just kind of ran them and hoped that people learn something from it. I wanted to be a lot more intentional about what I was doing.
“And that meant I wanted a monthly simulation against the entire organization. I wanted to actually get the data from those, analyze it, and try and learn from the patterns of my organization to identify the things that we could work on and get better at.”
He received the necessary go-ahead after two months on the job, when he was asked by the municipality’s executive management team (ETM) to update them on cybersecurity preparedness.
Drouillard recalls he had a week to prepare and describes it as a “fair presentation. It was not doom and gloom – we can slant that way in this career path sometimes, but if you’re always saying the sky is falling, no one’s going to listen to you when it matters, so don’t be the doom and gloom person.
“And I asked for a couple things, because if you’re going in front of a big group like that, you should ask for something while you’re there. In my case, what we were going to do with people who clicked on a bunch of phishing simulations.”
He received the green light to conduct monthly phishing simulations and develop training modules for employees. The program works as follows:
- Anyone who clicks on a trio of simulated phishing emails would have to take an extra training module in addition to the annual training all employees must do
- Anyone clicking on five, six, seven, or eight phishing simulations results in the individual’s manager being notified, at which point Drouillard has the authority to take what he described as “extra precautions around that user’s account and their computer.”
- Last, but not least, for people who click on multiple phishing simulations or violate the acceptable use policy, those actions will be formally recognized in their performance review.
“One tip I have for you is that if you’re talking to your top group about this, no one likes to be surprised,” he said.
“In my case, for the performance reviews, I spoke to the director of HR a week before I did this presentation saying, ‘this is what I’m hoping to ask for what do you think?’ and I got her advice. I incorporated her language into it, and I had her on board before I even did that presentation.”
The downside of the role is that, after four months, a call from Drouillard to an employee more times than not would illicit a distinctive groan from the person at the other end.
“How terrible is that? Who wants a groan to be the default reaction to their face. I’m a nice guy, I don’t want that. You can be positive in this career, you just have to be a little creative, not a lot creative, just a little creative. And I think the best way to do it is celebrating successes that you have.”
Examples of this include:
- If an employee thwarts an actual phishing campaign by reporting it immediately, call them and congratulate them. “They are going to feel good about that,” said Drouillard. “You are going to feel good about that.”
- The same applies to someone who is nearing a milestone in terms of clicking, but suddenly spots a phishing attempt and reports it. “Congratulate them. Not in a fake, here’s your gold star clip art kind of way, but in sincere way. Give them a call and say, ‘thank you, great job.’
- Congratulate entire departments when they have a phishing-free month. “Tell them phishing is really important. You know that we do these simulations, but not one person in your department clicked on this. That’s amazing. Good job. Thank you so much for your support.”
The end result of all his work is that there have been no incidents where the municipality has actually lost money through a phishing attack.
“We have had a good decline in the rate of people clicking on things. Once we got to the two per cent mark, I was pretty happy with that, because you are never going to be at zero per cent,” he says.