Phishing Audit

photo illustration of a credit card and social security card on top of a laptop with a fishhook

Objective

To assess:

  1. How well the city identifies, prevents, detects, and responds to cybersecurity phishing incidents.
  2. The effectiveness of the city’s cybersecurity awareness training by conducting internal and external phishing campaigns.
  3. The effectiveness of the city’s email security tools, such as Proofpoint, to determine whether the tools are configured appropriately to provide adequate email security.

Background

“Phishing” is a type of cybercrime where a nefarious actor, posing as a legitimate person or business, attempts to lure an unsuspecting person or organization into sharing sensitive information. The information can then be used to access systems or important accounts — which can result in identity theft, data loss, and financial loss.

Why this matters

Phishing is a type of cybercrime where a nefarious actor, posing as a legitimate person or business, attempts to lure an unsuspecting person or organization into sharing sensitive information. The information can then be used to access systems or important accounts — which can result in identity theft, data loss, and financial loss.

In classic email phishing attacks, cybercriminals send out mass emails — also known as a phishing campaign — to a large target audience of individuals’ personal accounts or company accounts. These mass phishing emails are often not personalized because they go to numerous people. Email phishing scams may attempt to entice recipients into clicking a link that leads them to a malicious webpage. These pages then attempt to trick recipients into providing their personal information or installing malicious files on their devices. The phishing email may also contain a malicious file or link to malicious content that may include viruses or malware.

Findings

The City’s Cybersecurity Awareness Training Program Improves Employee Behavior to a Limited Extent but Lacks Recommended Content and Not All Employees Complete Routine Training

We found employees who took all six city training courses offered in the first three quarters of 2020 were 9.6 percentage points less likely to submit sensitive information, such as their username and password, after receiving a phishing email compared to employees who took no training.

We also found that those who completed trainings recently performed better than those who had not. However, not all employees within the city complete cybersecurity training because the city has not yet identified which specific employees need to take it.

Technology Services Should Track Phishing Metrics and Communicate Them to Other City Agencies

We found the city’s Technology Services agency does not formally communicate phishing metrics to other City and County of Denver agencies.

Recommendations

1.1 Identify Employee Job Types – The Office of Human Resources should complete its work to accurately identify employees’ job types in Workday and better define the data associated with each job type.

Agency Response: Agree, Implementation Date – Dec. 31, 2021

1.2 Offer Training to the Correct Sets of Employees – Technology Services should work with the Office of Human Resources to gather the
necessary data to better define which employees should receive cybersecurity awareness trainings and ensure that those individuals are being offered training throughout the year.

Agency Response: Agree, Implementation Date – Dec. 31, 2022

1.3 Reconcile Trainings – Technology Services should reconcile the list of individuals who should receive trainings with a list of those who actually complete it through Workday Learning.

Agency Response: Agree, Implementation Date – June. 30, 2021

1.4 Evaluate Training Content – Technology Services should evaluate the content of the trainings it offers each quarter and each year to ensure the training is effective. It should make selections to improve employees’ behavior and knowledge. Specific reminders to use end-user tools, such as the “Report Phish” button, are recommended and should be in line with best practices. Trainings should include assessments to ensure employees understand the knowledge being taught and surveys should be provided to solicit employees’ feedback on the trainings.

Agency Response: Agree, Implementation Date – Dec. 31, 2022

1.5 Train Employees Every Six Months– Technology Services should train employees on a comprehensive set of phishing cues and do so at least once every six months. This should include such phishing cues as those noted in Appendix B of this report.

Agency Response: Agree, Implementation Date – Dec. 31, 2022

2.1 Develop Phishing Metrics– Technology Services should gather the information necessary to develop key phishing metrics that can be reported to other city agencies. This could include click rates, reporting rates, repeat offenders, etc.

Agency Response: Agree, Implementation Date – Sept. 30, 2021

2.2 Communicate Phishing Metrics– Once Technology Services develops phishing metrics, Technology Services should communicate the phishing metrics to other city agencies and explain why the metrics are being communicated to them and what to do with the metrics (e.g., identify areas of improvement for employees).

Agency Response: Agree, Implementation Date – Dec. 31, 2021

Auditor's Letter

April 15, 2021

Our objective in auditing the City and County of Denver’s phishing defenses was to determine whether the city offers effective cybersecurity awareness training based on leading practices. I am pleased to present the results of this audit.

The audit found that employees who took the city’s cybersecurity awareness training courses were less likely to submit sensitive information, such as usernames and passwords, when attacked with a phishing email compared to employees who took no training. The audit also found that employees who completed their training recently performed better than those who had not. However, the city has not adequately defined which specific employees should be required to complete the training. Lastly, the audit found Technology Services could improve its process for communicating phishing metrics to other city agencies.

The city can better protect against phishing attacks by implementing recommendations to more accurately identify employees’ job types in the city’s system of record and to better define the risks associated with each job type. This will allow the city to determine who should receive cybersecurity awareness training and ensure that those individuals are being offered training each year.

Our audit work identified additional details related to the risks described in this report as well as other risks for the city to address. Because these details are sensitive in nature, we provided them directly to the relevant city agencies for remediation.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 

Denver Auditor,

Auditor's Signature
Timothy O'Brien, CPA

Follow-up

A follow-up report is forthcoming.

Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor

Denver Auditor's Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter

Auditors Office Logos for Footer: Denver Auditor, Denver Labor

Back to top