Cardiff Council See 60% Drop in Phishing Risk after Dojo Training

With cyber attacks on councils happening daily, Cardiff Council has made cyber awareness a key priority and have seen a 60% drop in phishing risk after Dojo training.

In a concerted effort to build cyber resilience across the organisation, Cardiff has proven that high quality training leads to a significant reduction in staff phishing and organisational cyber risk. As a result, Dojo cyber awareness training is now mandatory training for all their staff and elected members.

It is acknowledged that ‘virtually every crime today has a digital footprint’ (Sarah Thornton, Public Technology, view here). Data itself is valuable and local authorities hold a significant amount of personal, business and planning information – critical information on all of us and how our communities work – which makes them targets for cyber criminals.

Alongside emergency and resilience planning, the senior leadership at Cardiff Council recognised the importance of cyber as an attack surface and organisational risk. The key to mitigating these risks was to ensure all staff were fully aware of how cyber attacks take place and understand that they each had a roleto play in keeping the council safe.

Head of IT at Cardiff Council, Phil Bear, explains the approach they took: “To ensure a comprehensive approach to cyber awareness two key elements were required; baselining the risk to the council across all our staff and identifying accessible, focused training to give every member of staff the knowledge they need to keep the council and themselves safe.”

To understand the level of cyber awareness at the start, Cardiff Council ran a simulated phishing exercise across all staff, which recorded the likelihood of officers, senior leaders, elected members and the IT team itself, clicking on malicious links or sharing personal credentials. The exercise was run with leading phishing experts Safehack UK.

Cardiff Council then rolled out the Dojo: Cyber training series, chosen due to the fact that it had been co-designed by 10 local authorities and spoke directly to staff and elected members about the risks councils face. Developed by BAFTA-winning film makers, the course was designed to engage staff at all levels, cover the key areas of cyber security and was available in both England and Welsh language to ensure 100% take up.

To understand the effect the training had, Phil and his team recently ran a second simulated phishing exercise across all staff who had undergone the training and the results were significant:

“The second exercise showed a 61% drop in staff engaging with malicious emails and clicking erroneous links, and a 67% drop in people sharing their log-in credentials with the scam.”

“This has given us the evidence required not only to make the training mandatory but focus further training on those people who may still succumb to a phishing attack. The Dojo: Cyber training has had a significant impact on the council’s cyber security and we believe it will help staff in their personal lives as well.”

The Dojo: Cyber training is now used by over 100 local authorities all of whom have engaged due to the original council co-design process, which involved district, county and unitary councils from across the UK.

A further group of eight councils has just finished work on Dojo: InfoGov – training which looks to build confidence around information governance and underpin public sector partnership working – and new modules are currently in pre-production looking to extend training for councillors, who face some unique cyber and GDPR challenges.

If you’re interested in finding out more about Dojo eLearning, please click here to contact us or fill out the form below to book a free demo.