ITBusiness.ca

At Chatham Kent, municipal workers helping to slay the phishing dragon

Richard Drouillard, manager of security and risk with the municipality of Chatham-Kent provided insights at InfoSec 2022 on his phishing awareness campaign. Photo by Paul Barker

It was an initiative that most IT security professionals might consider, but ultimately shelve due to the complexity involved in setup alone: implement a monthly phishing awareness campaign for a municipality, not for just a select group of employees, but every worker on the payroll.

It took a great deal of planning and behind-the-scenes maneuvering, but as Richard Drouillard, manager of security and risk with the municipality of Chatham-Kent, said last week at InfoSec 2022, an event organized by the Ontario division of the Municipal Information Systems Association (MISA), it has all been worth it.

In the conference show guide, he wrote that he has “spent the last two years with a very intentional focus on phishing awareness for my organization. Over that time, I have analyzed the results, played with the variables, had some hard conversations, and learned quite a bit about what works and what doesn’t.

“All of us are doing what we can to fight cyberattacks in our organization, and it’s essential for those who work in municipal IT to learn from each other.”

Drouillard, who has been at Chatham-Kent in an assortment of IT positions for 17 years, assumed his current position in 2020.

“I’ve worked in a lot of different roles in IT,” he said. “I’ve been a developer, a database administrator, a JD Edwards administrator, a project manager. I’ve also done a few months in our GIS department. And I’ve done a few months managing our service desk. I’ve worked in every team in our IT department at some point or another, which I think gives someone a really good background for working cybersecurity.

“We are all at this conference, so I don’t think I need to explain why I started my focus on phishing,” said Drouillard, adding that prior to his taking on the new role, the municipality, similar to many other organizations, had merely conducted one-off phishing simulations.

“You did one or two a year, and there was not a lot of follow up after they were done. You just kind of ran them and hoped that people learn something from it. I wanted to be a lot more intentional about what I was doing.

“And that meant I wanted a monthly simulation against the entire organization. I wanted to actually get the data from those, analyze it, and try and learn from the patterns of my organization to identify the things that we could work on and get better at.”

He received the necessary go-ahead after two months on the job, when he was asked by the municipality’s executive management team (ETM) to update them on cybersecurity preparedness.

Drouillard recalls he had a week to prepare and describes it as a “fair presentation. It was not doom and gloom – we can slant that way in this career path sometimes, but if you’re always saying the sky is falling, no one’s going to listen to you when it matters, so don’t be the doom and gloom person.

“And I asked for a couple things, because if you’re going in front of a big group like that, you should ask for something while you’re there. In my case, what we were going to do with people who clicked on a bunch of phishing simulations.”

He received the green light to conduct monthly phishing simulations and develop training modules for employees. The program works as follows:

“One tip I have for you is that if you’re talking to your top group about this, no one likes to be surprised,” he said.

“In my case, for the performance reviews, I spoke to the director of HR a week before I did this presentation saying, ‘this is what I’m hoping to ask for what do you think?’ and I got her advice. I incorporated her language into it, and I had her on board before I even did that presentation.”

The downside of the role is that, after four months, a call from Drouillard to an employee more times than not would illicit a distinctive groan from the person at the other end.

“How terrible is that? Who wants a groan to be the default reaction to their face. I’m a nice guy, I don’t want that. You can be positive in this career, you just have to be a little creative, not a lot creative, just a little creative. And I think the best way to do it is celebrating successes that you have.”

Examples of this include:

The end result of all his work is that there have been no incidents where the municipality has actually lost money through a phishing attack.

“We have had a good decline in the rate of people clicking on things. Once we got to the two per cent mark, I was pretty happy with that, because you are never going to be at zero per cent,” he says.

Exit mobile version