An Ontario city’s solution for phishing test failure: Deny staff Internet access

STRATFORD, Ont. — Getting employees to stop and think before clicking on email attachments is the bane of CISOs. Studies show that at least 10 per cent of staff just can’t resist no matter how much awareness training they receive.

But an Ontario city’s IT staff has come up with a solution, which might be called tough love: Temporarily kick those who fail phishing tests off the network.

“We found we always had 150 to 200 people” out of about 2,250 employees who clicked on links during tests, Jim Dolson, manager of hardware and technology at the City of Greater Sudbury, told infosec pros Tuesday at the annual conference of the Municipal Information Systems Association of Ontario here.

Jim Dolson, City of Greater Sudbury

So a few years ago it adopted a new policy: Click on the link and your Internet access is blocked. “They get an informational message telling them what they did, but you have to call IT [help desk] to get your Internet back.”

“It’s not a penalty, staff tell them what they did, they re-instate Internet access.”

But the incident isn’t forgotten. “Once they’ve done it three times they’re on a list … and if we learn of a virus in the real world we’re afraid of, all the people who have been listed in that group who we know are never-ending threats are blocked, until the threat is over. It’s the only way we can save everybody.” “It’s simple, it’s not complicated.”

Judging by the chuckles in the audience, a number of listeners were impressed.

And, Dolson said, the strategy works. “It used to be a joke, and they just click on anything. But the don’t any more, because it gets embarrassing when they have to call the help desk.”

Now the number of employees who fall for test phishing email is down to around a dozen.

In an interview Dolson said the size of the problem emerged after the city bought a commercial phishing test solution and began testing employees. Initially, many city staff would fall for even the most obvious test scams – think of messages from alleged princes – and some would give away their logins. There was some early success, with the failure rate dropping from 500 staff to around 200. However, he said, progress stalled. Something had to be done.

Temporarily denying Internet access wasn’t welcomed by some and Dolson had to explain the situation to them or mangers.

“We’ve seen an immediate improvement once people realize there’s a consequence to putting the corporation at risk, and its not just a game anymore.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now