Municipality Launches Employee Cyber Awareness Programme After Spike in Phishing Reports Across Public-Sector Units

The Challenge

When the City of Eastbrook’s IT department noticed an unusual surge in suspicious email reports, few were concerned at first. A few spam messages are typical for any mid-sized municipality. By the time the weekly cybersecurity report reached the Chief Administrative Officer, the numbers were clear and concerning: more than 300 phishing reports in two weeks, nearly triple the usual volume.

The emails were convincingly crafted. They impersonated the city’s HR team, local banks, and provincial grant portals. Some linked to “urgent staff updates,” others demanded immediate password verification. A handful of employees clicked. One entered municipal credentials on a fake login page. Within hours, threat actors used those credentials to probe shared drives containing internal memos and limited citizen correspondence. Although no personal data breach occurred under PIPEDA, the attempt triggered internal alarms.

The incident exposed a vulnerability that technology alone cannot solve: human error. Many employees admitted they were unsure how to recognize phishing. Others said they were too busy to question every message. One clerk believed cybersecurity training applied only to IT staff.

The risk governance committee convened an emergency session the following week. Despite robust technical controls and periodic audits, the municipality lacked a structured awareness and communications training program. Policies referenced information security in general terms but did not provide practical, ongoing education.

Consequences were felt beyond IT. Word of the phishing attempts spread across departments, raising staff anxiety and attracting media questions about preparedness. The provincial Office of the Information and Privacy Commissioner informally reminded municipalities of their duty, under Canadian privacy principles, to protect personal information through both technology and employee competence.

Morale dipped. Department heads voiced frustration that earlier warnings from the information security officer had not been prioritized. Council requested a full review, citing potential reputational harm if the issue became public.

The surge in phishing was a turning point for Eastbrook’s leadership. It underscored that cyber resilience depends on people as much as systems and showed how quickly insider threats, intentional or not, can arise when training and communication are weak. In an age when one careless click can erode public trust, every municipal employee must be part of the first line of defense.

Our Solution

We designed and delivered a municipality-wide Cyber Awareness and Communications Program tailored to public administration operations and Canadian privacy obligations, including PIPEDA and applicable provincial statutes such as MFIPPA and FOIP. The program included:

– Targeted training pathways: a foundational module for all staff, role-based modules for Finance and Accounts Payable, HR, frontline service desks, and privileged IT, plus concise executive briefings for council and directors.
– Localized content built from sanitized versions of the actual phishing lures observed in Eastbrook.
– A one-click “Report Phish” workflow with a unified mailbox and defined response SLAs, along with external email banners and look-alike domain warnings.
– Progressive phishing simulations with just-in-time micro-coaching and confidential remediation for repeat clickers.
– Behavioral metrics and governance: report-to-click ratio, time to report, completion and retention rates, and cohort analysis. Results were reviewed quarterly by the governance committee and retained per municipal records policy.
– A consistent communications cadence: a launch note from the CAO, monthly micro-tips, an intranet hub, and printable posters for public counters.

The Value

• Risk reduction: Click-through rates on simulated phish dropped by 65–80% across most departments within one quarter. High-risk cohorts showed a reduction of more than 50%.
  – Faster detection: Median time to report decreased from 8 hours to under 1 hour, reducing potential dwell time and limiting lateral movement.
  – Stronger reporting culture: The report-to-click ratio improved from 0.7:1 to 4:1, indicating more staff reported suspicious emails without engaging with them.
  – Compliance readiness: Documented training completion exceeded 95% for active staff, supporting audit requirements under PIPEDA and provincial access and privacy statutes.
  – Operational continuity: Fewer mailbox compromises and emergency resets freed service desk capacity for core municipal services.

Implementation Roadmap

Phase 0: Immediate Stabilization (Weeks 0–2)
1. Issue an organization-wide advisory with examples of current lures.
2. Reset passwords for implicated accounts and re-verify MFA.
3. Enable external email banners and tighten rules for look-alike domains.
4. Deploy a single “Report Phish” channel and publish analyst response SLAs.

Phase 1: Readiness and Design (Weeks 2–4)
5. Perform a rapid maturity check on awareness controls and establish behavioral baselines.
6. Identify high-risk cohorts and map policies, such as acceptable use and email and collaboration, to training objectives.
7. Define metrics: report-to-click ratio, time to report, completion and retention rates, and repeat-clicker trends.

Phase 2: Program Build (Weeks 4–8)
8. Develop the tiered curriculum for all staff, high-risk roles, and executives.
9. Localize content, ensure bilingual delivery where required, and meet accessibility standards.
10. Configure LMS tracking, records retention, and quarterly governance reporting.

Phase 3: Launch and Coaching (Months 2–4)
11. Announce the program with a CAO message, intranet hub, and printed materials for public-facing counters.
12. Begin progressive phishing simulations and deliver micro-learning nudges within collaboration tools.
13. Offer confidential coaching for repeat clickers and reinforce a no-fault learning culture.

Phase 4: Measure and Sustain (Ongoing Quarterly)
14. Review KPIs with the governance committee and update scenarios as threats evolve.
15. Refresh content each quarter and run annual tabletop exercises for leaders.
16. Maintain audit artifacts and attestations in line with records policy and privacy laws.