With nearly a million people, Milwaukee County is the most populous in the state and the 47th-largest county in the country. The County’s Information Management Services Department (IMSD) focuses on information technology strategy, application support and execution for the county’s government — an extended network of almost 4000 users. With phishing threats on the rise in busy work environments, long-time staffer Jason Scherer has spearheaded phishing campaigns and ramped up county security culture so that staff knows what to look for and understands what’s at stake if hackers infiltrate the countywide system.
We definitely have the buy-in. What started off as an idea is now running full force. It went from nothing very quickly to acceptance and appreciation for what we are trying to do to make the county safer.
Jason started as an intern on the help desk at Milwaukee County IMSD nearly 17 years ago. Now he’s running hacker-style phishing campaigns that are getting his organization excited about their growing security culture — staff are even asking for more info.
After his internship, Jason worked in desktop support for the county’s high-profile clients, like the Milwaukee County Board of Supervisors. After that, he was responsible for IMSD’s mobile devices and for managing interns. He then got the opportunity to use his degree in cybersecurity by joining the information security team. Before Jason was hired to the IMSD cybersecurity team, the team was just a manager and one other staffer. When Jason joined, he took initiative for the security awareness program.
“I said, ‘Hey, do you mind if I take a whirl at it and start playing with the phishing campaigns?'” Jason said. His manager walked him through the Infosec IQ training library, resource center and email templates and handed them over. That was all he needed to jump into action.
IMSD ran its first Infosec IQ phishing campaign in December 2020, followed by 17 more in 2021. When users click on phishing campaign emails, they’re sent to a custom landing page with county-specific training information or a training video from the Infosec IQ library that shows them what to look for, like misspellings in the URL and .org domains in place of their .gov domain.
Targeting repeat clickers with training
Now Jason and his team are adding next-level training for the previous year’s repeat clickers on phishing campaigns.
“If you’re looking at a high number of people who clicked on even three campaigns, to me, that’s a very high risk over a 12-month period. We enroll repeat clickers in training through Infosec IQ,” he said.
First, Jason emails the managers and lets them know that the staffers will be enrolled in a training simulation — a seven-minute Infosec video about what to look for in phishing emails. Then the staffer gets the same email and is enrolled in a program with a 10-day deadline to complete the training. They get reminder emails on the fifth and final days.
“The benefit of all of this is we can actually send the report to the managers and say, ‘Yep, this person did it. This person did not do it,’” Jason says. “We don’t want to make somebody feel bad, we want them just to be aware of what’s going on and give them a little extra training to help them out in the future. We’re not making it bothersome or boring. We’re trying to make it fun.”
Our click trend went up in December based on a phishing campaign where employees were encouraged to check the remaining vacation hours for 2021.
Jason and his team plan to review the repeat clickers and try to target even more specific training to them. “We have to target those people and we have to figure out, number one, why are they clicking on phishing emails? And number two, what kind of education we can give them to help them so they’re not clicking on that stuff again.”
“What started off as just an idea has literally taken off and now there’s no turning back,” Jason says. His phishing campaigns are earning him a positive reputation at work and much praise from management.
“They’re like, ‘You know what, Jason, you’re becoming a really good hacker.’” Jason figures he has to use real-world scenarios to get their attention. The next one he is working on is a LinkedIn campaign. He’s also used Dropbox notifications, an NCAA Bracket Challenge and W-2 form downloads as bait.
“You can’t make it too easy on them because a real-world attacker is not going to make it easy. They’re going to take something that’s going on, like COVID, for example, or the W2s. They’re going to tailor it to their needs to make you click their email.”
You can’t make it too easy on them because a real-world attacker is not going to make it easy.
Milwaukee County staff members are on high alert and have even caught phishing emails before their IMSD partner.
“One of the seven email compromises we’ve had was reported by an employee. In only an hour from when she reported it to when I knew about it, we were able to stop that email and pull it from all the other mailboxes it went to.”
Phishing campaigns are now watercooler conversation for IMDS’s upper-level IT security council, who’ve been behind Jason’s initiatives from their inception and continue to value the cybersecurity team. “They’ll say, ‘Hey, did you click on it?’ ‘Nope, I didn’t click on it. Did you?’ ‘Yeah, I fell for that one this month.’ It’s not that they’re making fun of each other. They’re just internally comparing how they do with those phishing campaigns.” Many departments ask for employee reports so they can help them.
“We definitely have the buy-in. What started off as an idea is now running full force. It went from nothing very quickly to acceptance and appreciation for what we are trying to do to make the county safer,” Jason says.
Security awareness on the intranet
Jason and his team are right on top of the snowballing security culture they’ve sparked. For one, they’re creating a security awareness page on the IMDS intranet where they plan to post Infosec IQ videos like games Choose Your Own Adventure, as well as breaking cybersecurity news, and two monthly newsletters — one straight from Infosec.
“Anything we can do to make people more security aware, we’re going to do it. The feedback we’re getting on the intranet page is phenomenal. The Infosec portal is just filled with resources. Everybody’s like, ‘Hey, can I share that with my neighbor? Can I share with my family?’ Go ahead. The more people we can get to be security-aware, the better off we’re going to be.” In fact, Jason creates newsletter articles specifically for safe home computing.
As a fisherman — bass and musky to be exact — Jason said he’s doing better virtually than in the water. “I catch more people phishing than I’m catching real fish.” But in both scenarios, he’s learned a lot. “I keep trying because with real fishing, I don’t give up. I just try something different. In county phishing, I am going to keep trying to teach people not to be caught by my phish.”
Milwaukee County's Security Awareness Training Journey
- Employees not engaged in security culture.
- Phishing and Business Email Compromise threats.
- Advanced, targeted phishing campaigns.
- Training that gets people interested in and excited about cybersecurity.
- An intranet page about cybersecurity.
- Cyber security culture is growing.
- Managers are involved in helping repeat clickers learn.
- Staff are active in reporting threats.
- Staff are sharing cybersecurity info with people outside of the organization.