When you think about it, county government agencies collect and retain a staggering amount of personal information. From voter registration and marriage licenses, to property tax information, your county knows almost as much about you as the IRS.

“We’re government, so we have a lot of secure information. We protect assets of health and human services, law enforcement, the fire department, there’s all sorts of information from the citizenry,” said Kelly McCubbin, Lead Systems Architect for Marin County. “If I think about it too much, the amount of stuff we’re actually trying to keep the bad guys away from is a little bit scary.”

Keeping data secure has become much more complex with the rise of social engineering and cyberattacks like ransomware, where payment is demanded to restore access to encrypted files and bring networks back online.

“Public trust in government is such a critical factor, especially at the local level because it impacts people so much,” said Lynda Roberts, Marin County Registrar of Voters. “As we know, election security is a hot button issue.”

Traditional technology like firewalls and virus scans can help, but they only go so far. In Marin County, people are at the heart of information security.

“Traditionally there have been people in IT who have a security role, and I think there’s this vision that we’re down in the basement in front of our computer screens,” said Jason Balderama, Chief Information Security Officer for Marin County. “But really, security today has become more of the human interaction. It’s getting to know people, educate them on what’s going on and how they can help.”

System upgrades improved security and reduced costs, but an innovative and engaging staff training program is key to keeping Marin County’s data safe and secure.

Twenty-five percent of information security attacks require internal actions, like clicking a link or downloading a file, to be successful. These types of attacks, known as “phishing scams” are one of the top causes of security breaches.

To keep its information secure, Marin County’s Information Security Team (IST) decided to arm their employees with the knowledge and skill needed to thwart these kinds of attacks. First, they implemented mandatory security awareness training for all departments and new county employees. Then, they enabled the Phish Alert” button within Office 365 to allow county employees to report suspicious emails. Annually, during National Cyber Security Awareness Month in October, IST reinforces the training with brown-bag security awareness sessions and other activities.

Most importantly, Marin County’s IST puts its trainings to the test with monthly mock phishing exercises for employees. Bait emails are sent out randomly, and employees who recognize the possible threat and click the “Phish Alert” button are rewarded with a pop-up window providing instant feedback and positive reinforcement. Tracking capabilities enable department heads and the Information Security Team to provide customized trainings for employees who “took the bait” in the mock exercise.

“When we first started the phishing campaigns we were alarmed with the statistics we saw,” said Balderama. “So by implementing this program and raising the awareness of our employees in addition to implementing new technologies, we’ve really reduced the amount of risk to the county and its data.”

“I feel like we’ve got a really solid program that’s keeping the bad guys away,” said McCubbin.

“I’m really proud of the work we’ve done up to this point,” said Balderama. “Whenever someone tells me they really appreciate a tip they read in the newsletter or they catch me in the hall and say ‘oh, I know that was you this time’ with the phishing campaign, it’s really rewarding to know people are doing their best effort to help keep us safe. And I think the more we collaborate, the better off we all are.”