Cybersecurity: Making One City More Resilient With a Gold Quill Mindset
In recent years, cybercrime has become common through an increase in spam, phishing attempts and social engineering schemes. For many of us who spend more time online, whether for work, financial transactions or staying connected with friends and family, cybersecurity is a top concern.
In 2022, the City of Calgary implemented mandated cybersecurity training for all 17,000 employees, in order to mitigate human-related risks. As a provider of emergency, water and other essential services to 1.3 million citizens, the city, like other large organizations, faced a growing number of malicious email attacks.
So, how do you successfully convince 17,000 people to take a one-hour training? With a lot of communication and cross-corporate collaboration.
As a communicator who works for and lives in the City of Calgary, I led communications and strategy for this initiative, relying heavily on IABC Gold Quill best practices to guide the work.
Starting at Square One With Gold Quill as a Guide
Cyber training only works as a security control when a high percentage of internet and email users have the same minimum level of cyber skills and awareness. We needed high compliance given the potential consequences of a cyberattack for the city. It became clear we also needed a Gold Quill mindset to solve this problem. It was an opportunity to start at square one and do everything right.
Using the Gold Quill playbook — especially the workplan and rubric — the City of Calgary implemented a multi-phase campaign between August 2022 and March 2023. It emphasized change management, and playful creative elements like a ransom note and horror movie posters and aligned with the city’s organizational strategy through targeted communications.
Specifically, the project modeled elements of IABC’s Gold Quill entry guide, centered around a clearly defined business need to drive change across the organization. It included a comprehensive stakeholder analysis, supported by pre- and post-surveys that provided key audience insights. The project set outcome-based objectives that represented meaningful reductions in cyber risk, focusing on results rather than just communications outputs. Finally, it implemented robust measurement and evaluation methods, tying together audience survey data and operational and behavioral trends.
Project outcomes were significant in terms of training compliance, audience behavior and operational improvements. Over 81.5% of all city employees completed their training by the end of 2023. After a significant number of city employees completed their training and renewed it, the city experienced a 61.7% average decrease in employee clicks on malicious emails between February 2023 and May 2024.
Post-campaign survey data supported these results. In a representative survey of employees across the corporation, 79% said their ability to protect themselves against cyber threats had increased due to the mandatory cyber security training. Surveyed employees also indicated that they were better able to recognize social engineering attacks, which are crucial in avoiding advanced scams, representing an increase of 29% compared to the pre-campaign baseline.
Since then, employees have remained vigilant even when the volume of incoming malicious emails has increased. This resulted in an overall increase in the ratio of malicious email to employee clicks by 575.4% between February 2023 and May 2024.
These results underscored the importance of cyber training, which equips anyone who uses technology with a basic yet essential skillset. When implemented and maintained skillfully, it becomes a powerful tool for managing organizational threats and criminal activity, ensuring that all users have the same minimum level of cyber skills and awareness.
The Gold Quill Ecosystem: A Winning Formula
In 2024, “Cyber Training for Everyone” earned three Gold Quill awards, including top honors for excellence in change communication and internal communication categories.
From the very beginning, we followed the formula for an award-winning workplan and aimed high. The results were clear; three separate Blue Ribbon panels scored our entries highly, resulting in multiple awards. More importantly, we created a measurably more resilient and secure organization, building a human firewall against cybercrime that protects our city’s data, operations and essential services.
These achievements are a testament to the Gold Quill ecosystem. Since 2017, I’ve helped lead teams to earn six Gold Quill Awards, gaining valuable insights from both successful and unsuccessful entries. The feedback from adjudicators, along with the learning and personal growth I’ve experienced as a Blue Ribbon adjudicator, has been instrumental. This experience proved invaluable in achieving this year’s success.