DENVER – The city’s employee cybersecurity training reduces the chance an employee will be a victim of “phishing” cybercrimes, but more frequent and comprehensive training could further reduce that risk and better protect the security of the city’s data, according to a new audit report out this month from Denver Auditor Timothy M. O’Brien, CPA.
“We tested thousands of city employees to see how well they respond to a common cybercrime tactic,” Auditor O’Brien said. “The lessons we learned could be beneficial for any employer looking to protect against cyberattacks.”
Phishing is a type of cybercrime where a nefarious actor, posing as a legitimate person or business, attempts to lure an unsuspecting person or organization into sharing sensitive information or downloading malicious software such as ransomware. The information or sofware can then be used to access systems or important accounts — which can result in identity theft, data loss, and financial loss.
Appendix B of our audit report provides a thorough list of common signs of a phishing email that any member of the public should keep in mind when opening an email. These clues include misspellings and grammar errors, domain spoofs, logo imitation or outdated branding, creating a sense of urgency, generic greetings, “too good to be true” offers, or unexpected attachments.
“Cybercriminals only have to be right once to do a lot of damage and the city must be right every time to protect our sensitive data,” Auditor O’Brien said.
During the audit, our team created two simulated phishing emails and sent them to about 6,500 randomly selected city employees. Half got a baseline email that had easy clues to help spot the phish. The second half of employees in the test group received a more difficult, polished-looking phishing email. The goal was to test the city employees’ behavior when faced with an email sent by a malicious actor.
We compared how these employees handled the emails to information such as the employees’ job type, length of time with the city, management level, VIP status, and number of recent completed cybersecurity trainings.
Based on the results of our testing, we found a positive but limited impact of the city’s cybersecurity trainings. Employees who had more recent training that included information about phishing were more likely to correctly report a phish to the city’s Technology Services agency, but reporting was still significantly lower than best practices recommend. Employees who took the city’s cybersecurity awareness training courses were also less likely to submit sensitive information, such as usernames and passwords.
We also found some employees who incorrectly engaged with the phishing emails were not currently required to take the city’s cybersecurity trainings.
“The city has systems and security in place to help protect against phishing and other cybercrimes,” Auditor O’Brien said. “However, all employees should be adding an extra line of defense by taking cybersecurity trainings and staying vigilant.”
Employees who take cybersecurity training are less likely to engage with phishing emails and more likely to report phishing emails than those who took no training.
We recommend employees complete the city’s cybersecurity trainings on phishing at least every six months because older trainings have less effect on behavior. Those trainings should include quizzes or assessments to ensure employees understand the content of the lessons. And city management should regularly include information about how employees can correctly report a phishing email to help improve the low reporting rates. We also recommend the city clearly identify which job types should be taking the training.
“Phishing is common, and it happens to every organization,” Auditor O’Brien said. “It’s important that our training be frequent and comprehensive because scammers are trying to be just as thorough in their attacks.”
Finally, we found Technology Services should regularly communicate phishing metrics to individual agencies to let management know about click rates, reporting rates, and repeat offenders. This will help keep managers informed about possible trends or issues. By implementing this recommendation, city agencies will be more aware of how their agency and employees are performing.
“My office regularly performs cybersecurity audits like this one and shares sensitive results confidentially with city agencies due to the secure nature of the information,” Auditor O’Brien said. “Security is a top priority for my office, just as it is for Technology Services. I hope our findings will make our city’s systems even safer and stronger.”