The Texas Association of Governmental Information Technology Managers (TAGITM) awarded the City of Bryan, Texas with the President’s Excellence Award to acknowledge efforts in developing a cultural shift relative to cybersecurity.
The public power city, about midway between Waco and Houston, created its “Cyber Warrior” program in 2015, although it was not originally known by that name. When the program first began, it was just a series of periodic emails to city leadership to raise awareness at the senior level. “It was a way of planting the seed that this is a real and growing thing,” Bernie Acre, Chief Information Officer for the City, said.
“As awareness evolved at the senior level we expanded it to include employees and council members. Our new goal was to determine everyone’s ‘digital rhythm,’ which incorporates how end-users were natively interacting with technology. This process included every department, including fire, police, electric and water utility services, public works, you name it,” Acre said.
“Our initial focus was to make people cyber aware when they didn’t even think about it. As you can imagine, it was a huge culture shock,” Acre said. “I equate it to when it became mandatory to wear seat belts. We didn’t like the idea and now we do it automatically when we sit down in our vehicles. It is the exact same concept. We have to be more aware. It is a culture, it’s a way of life we have been creating and cultivating here at the City of Bryan.”
As the program evolved, Acre took several key steps. He created a monthly newsletter that is distributed to a broad audience that includes employees, vendors, friends, family, and many contacts in Texas and across the country. He created the position of Chief Information Security Officer (CISO) in April 2017, and he partnered with KnowBe4, an internet security firm based in Clearwater, Florida.
In November 2017, using the KnowBe4 platform, the City of Bryan launched its first internal phishing campaign, which deliberately challenges users with the same methods hackers use. This initial campaign’s goal was to establish a baseline. As a precursor, only the City Manager was made aware, along with two other members of the IT team.
“The first campaign gave us a baseline benchmark of ~18% click-rate, which was used to determine where our biggest weaknesses were and how we should focus development of cyber-skills among the entire city staff,” Acre said, adding that in March 2019, after 1.5 years of training, end-users achieved the best to date 1.14% click rate.
The campaign sends phishing emails to all users, including council members, that challenge everyone to use their cyber skills and email red flag training to determine the legitimacy of the email. “A real phishing email has the potential of causing catastrophic damage to our network, so we use this tool to keep everyone’s skills sharp,” Acre added.
Using KnowBe4’s customizable platform, Bryan customizes its internal phishing campaigns for its own needs and users. The details of the campaigns are designed by a “very creative” Security and Compliance Administrator, within the Information Technology department and reporting to the Chief Information Security Officer, Scott Smith. The very creative emails use current events and upcoming holidays in an attempt to create an emotional reaction, just as hackers and phishing emails do in the real world.
“Everyone has a ‘digital rhythm,’ which is a developed and therefore instinctive way we react and respond to electronic communications and media. We design our internal phishing campaigns to retrain user’s instinctive response to a rational and more logical response versus an emotional one, thereby modifying people’s ‘digital rhythms.’” The ultimate aim, Acre says, is to change people’s behavior so they no longer respond to emails emotionally, but instead logically.
To reinforce the message, the internal phishing campaign includes consequences. If an employee fails an internal phishing campaign (“clicks”), they have two weeks to take a 30 minute cyber security refresher course. If they fail to complete the training, they are locked out of the network. To regain access to the network after being locked out, users must schedule a time, in the IT building with the Help Desk, during normal business hours to take the training.
Additionally, all employee performance evaluations now include a category for Cyber Security Awareness. To achieve a “Meets” in this category, all users must complete three hours of cyber awareness training annually and not have clicked on more than two campaigns throughout the reporting period. A “Does Not Meet” in any one category prevents an employee from achieving an overall “Exceeds” Performance. “In the IT Department, there is a higher expectation for this particular category, and therefore a zero-tolerance policy for Cyber Security Awareness is in effect,” Acre added.
“The number one attack vector for cyber criminals is the individual end users,” Smith said. More than 90% of cyber-attacks occur through some sort of phishing campaign. “When that changes, we will adjust our training,” Smith said. Smith also added that they perform in-person training for each City department, highlighting specific vulnerabilities, fielding questions and giving a personal touch to cyber awareness. Acre added, “the in-person training by both the CIO and the CISO has given the program an added boost and a face-to-face recognition that we are all on the same team at the City of Bryan.”
In addition to creating a monthly newsletter and instituting the internal phishing campaigns, Bryan also branded the city’s cyber security program with the “Cyber Warrior” name and logo. The name reflects Acre’s military background and his enthusiasm for history, particularly medieval history.
Acre had a variety of promotional materials made using the Cyber Warrior logo, including stickers, ID badge belt clips, knowledge coins, stress “shields,” data blockers and camera blockers for laptops. “It keeps the cyber security message front and center,” Acre says.
As successful as the various elements of Bryan’s cyber security campaign have been, it would not be effective without some key factors. As CIO, Acre reports directly to the City Manager. The creation of the CISO position in 2017 and the partnership with KnowBe4 have been critical components of the overall program. “Without the support of my boss, my peers within the City organization, and the City Council, I am confident we would not have experienced the significant culture shift we have witnessed,” Acre summarized.