South Ayrshire Council is now using Egress Prevent and Egress Defend to improve security, cut costs and remove complexity from its tenant-facing operations and services.
In order to deal with the sensitive personal and financial information it holds on its tenants, the council wanted to have a secure network completely separate from its main corporate network.
Anne Yeo, senior ICT security analyst, South Ayrshire Council, said, “To handle secure transactions and communications, we had a secure enclave of about 250 machines running our public service network services, but before our ICT team’s commitment to change, the corporate network didn’t receive the same level of attention around security.
“I think we’re the only organisation in Scotland to have approached it like this; all other local authorities ran everything through their corporate networks. It became increasingly difficult because the people who used the secure network to communicate with other local authorities had to have two separate devices, logins and email addresses. Maintaining and upgrading these devices was expensive; even though it was a relatively small network compared with our larger corporate network, there was a lot of cost associated with servicing that for 300 people.”
The council’s ICT team also wanted to change how the organisation handled security, particularly around increasing end-user awareness.
Yeo said, “We bought an email phishing simulation tool – we had some success at first but we then found that people shared information about the simulation so when we ran simulations, about half the people knew it was a simulation before they opened the email, thereby skewing the results. We could tell that some people learned to slow down and pay closer attention to the email, but many people didn’t change their behaviour.”
South Ayrshire Council’s data governance team also had its own security worries around the prevention of accidental data breaches.
Yeo said, “Information governance and privacy are handled by a separate department to our ICT team, and our data governance team wanted a product that provided protection against people mistakenly sending information out. Previously, they had no idea how often data breaches happened due to inadvertent errors by internal staff.
“We know that data breaches are historically under-reported; people are embarrassed and don’t want to get into trouble for a mistake they’ve made that could have led to a bad situation.”
The council’s ICT team looked at Egress Prevent to mitigate against outbound data loss and Egress Defend to protect against inbound phishing threats.
Yeo said, “We needed to move away from our security enclave and secure our entire corporate network. Egress Prevent had already come to our attention when we’d been looking for solutions to protect employees who needed to share highly sensitive information with external organisations, and my manager, Stewart McCall, came across Egress Defend and thought its banners and notifications would help our staff.
“We also wanted to replace the training we’d been doing via our phishing simulations with something that would truly impact user behaviour, and we decided that the real-time ‘teachable moments’ from Egress Prevent and Egress Defend would give us the perfect combination of user education and autonomy.”
The council had some initial concerns about how challenging Egress would be to use and how it would affect sending emails but the council’s staff have found it straightforward to use as part of their daily work, and from a management perspective, Egress Defend is easy for the council’s ICT team to administer and maintain.
Yeo said, “We want to strike the right balance between introducing friction into our employees’ daily routines and reducing risk. One of the key things we’ve done is to completely block any email links that Defend finds suspicious.
“We found that some people were still clicking through links, even though Defend displayed a red banner to indicate that the email was almost certainly phishing; Defend allows us to ensure that users can’t click through those links.
“We have to provide a certain level of security for our users who are accessing and sharing sensitive information, but our previous security ‘enclave’ approach came with significant complexity and costs. By bringing our corporate network up to a higher security standard with Egress, the whole organisation benefits, and by removing the costs of maintaining a security enclave, we’ve redirected the budget to cover security for the entire organisation.
“We do annual training to meet our compliance requirements and count on Egress Defend and Prevent to help change users’ behaviour. More than 1,000 staff now use Egress and the number of times users alert us to potentially suspicious emails has increased.”
