Calderdale Metropolitan Borough Council

Simulated Phishing Excercise

Briefly describe the initiative/ project/service; please include your aims and objectives

Cyber security is a high priority for all Councils, and particularly at Calderdale Council. The threat of cyber attack is very real, and we work hard to ensure that we have robust technical controls is place to ward off any would be attacks. However, technical controls alone are not enough; we also need to work hard to ensure that our people and processes are strong in the face of the cyber threat. Our staff are our greatest asset, and our first line of defence. One particular threat that we face on a very regular basis is that of phishing emails.
To that end, we took the decision that we needed to work with and help our staff to understand this very real threat. The way in which we did this was to formulate a communications strategy, to communicate relevant information regarding phishing, and then follow this up with a simulated phishing attack. We sent out messages highlighting the type of things to look out forin phishing emails. The objective was to “temperature check” our organisation and garner responses from staff so we could tailor relevant training materials that are pertinent and fit for purpose, to assist our staff in gaining capability going forward we have conducted the exercise for 2 years running.

What are the key achievements?

The campaign has vastly improved our colleagues understanding around the practice of phishing. Firstly, the exercise highlighted the issue to all staff and showed them in a very real way how genuine these emails can appear to be, and how easy it is to fall in to the trap. We got our staff talking about the issue, and what to look out for. We have seen an upturn in the reports of phishing that we are receiving to our service desk, which proves that there is a greater understanding and a heightened vigilance around the organisation. We have also made changes to the way in which we actually deal with phishing emails, by implementing a process to log and deal with phishing reports in a timely fashion, meaning that we are taking a proactive approach to the threat.

What are the key learning points?

The campaign gave us a clear insight into staff attitudes towards cyber attacks, and challenged some of the beliefs we held regarding their awareness levels. We learned that regular communications to staff regarding cyber-attacks are essential to keep the issue fresh in people’s minds. These communications must also reinforce the message that cyber security is everyone’s responsibility. However, these messages must be delivered in a non-technical manner, so that they are accessible to all staff. We used the results to identify staff that needed extra training regarding cyber security, lowering the risk of a response to a genuine phishing attack. Conducting an exercise like this is a safe way to test if you have any potential issues in this area that need addressing, such as additional training that staff may require

Additional Comments

We believe that we should win this award as we have carried out this exercise in order to be an example to other organisations who can draw from our experiences and learn lessons that will benefit their own organisation. By taking a proactive approach, we have gained valuable knowledge about staff understanding and attitudes towards this threat, which we are happy to share, and which we believe can only be a positive thing when dealing with cyber threats.