Durham County Government Implements a Managed Security Awareness Service

About the Program

Category: Information Technology (Best in Category)

Year: 2023

In March 2020, Durham County Government was the victim of a crippling ransomware attack. The organization was incapacitated which included the loss of email and the primary network. In a 2020 article in Forbes detailing the attack, “A total of seven computers have been identified that are likely "patient zero" sources of the infection, with both city and county employees clicking on links in emails. ” In October 2022, Durham County Government implemented a Managed Security Awareness service. This service was put in place to engage employees to reinforce behaviors that protect themselves and the County from malicious events. In addition to mandatory cyber training, employees were “phished” at least once a month. IT sent an intentional phishing email to employees. Through training, employees should have known to leave the email unopened and report the email to IT via a “report phishing” tool in the email system. However, if the employee opened the offending email, they received an immediate message of “you’ve been phished” and had to complete an immediate lesson related to identifying and reporting phishing emails. This has been a successful effort as we have measured a 50% decrease in the employee open rate on phishing exercises--14% to 7%.