Gone Phishing: L.A. County DPSS Takes Out Suspicious Emails

Imagine a 40-hour workweek that consists of little more than vetting suspicious emails. Day in, day out — thousands of backlogged emails to parse through, multiple software filters to apply, one at a time — day in, day out.

And perhaps more daunting is the fact that the systems you’re helping to protect house sensitive social services data for the most populous county in the country. Any missed phishing attempts on your part could be catastrophic for the agency and the people it serves.

And while this scenario might sound like some sort of twisted version of purgatory for IT professionals, it was a daily reality for Daniel Garcia, a senior information systems analyst with the Los Angeles County Department of Public Social Services (DPSS).

The system, known as the Countywide Reporting of Information Security Incident (CRISI) ticketing system, relies on staff to identify and flag potentially malicious emails via a button in their Microsoft Outlook inboxes. That action creates a ticket for further examination, which, until fairly recently, meant that Garcia had yet another problem to contend with.

When he stepped into the role some three years ago, there was a backlog of nearly 3,000 unscanned emails that the agency’s staff had flagged as suspicious. To make matters worse, he would need to run each one through multiple software platforms — a process that averaged between two and 10 minutes per email. No shortcuts, no exceptions.

“I was able to resolve them throughout a year and a half, but during that time I was seeing patterns and identifying different emails coming in, so I started drafting a white paper to develop a system …,” he told Industry Insider — California.

Luckily for DPSS and Garcia, the idea of a streamlined system was in the cards. Xerox and the county’s Internal Services Department (ISD) worked with the department to tailor a robotic process automation (RPA) solution that could take over the repetitive and time-consuming work.

The RPA pilot ran for more than a year before becoming a permanent cybersecurity fixture for the department, DPSS Chief Information Security Officer Robert Rogers said, processing the roughly 200 daily tickets three times a day.

“We’ve been so successful that other county departments are actually looking at creating the RPA for their [own processes],” Rogers said, adding that even ISD is looking to implement an RPA tool within the department.

The new tool has dramatically improved the email security process, Garcia and Rogers said, and only around 20 emails need human intervention. Garcia explained that the system automatically identifies flagged emails, categorizing them into several buckets for return or elevation to the ISD security team. Those buckets include phishing, spam, bulk, marketing, social media, miscellaneous and legitimate.

In addition to the obvious time and cost savings associated with this sort of automation, Garcia noted that the new process means staff are less likely to skip steps when a suspicious email comes in. Previously, delays meant that staff were left wondering if a reported email was safe, which opened the door to potentially dangerous assumptions and clicked links.

“If a user reports it and there’s no response they’ll say, ‘Well, I guess it wasn’t really bad, right?’ so they click on it and then it opens malware or whatever,” he said. “The longer we delay, it makes us more vulnerable.”

Their efforts landed the department recognition through the National Association of Counties (NACO) 2024 Achievement Awards, and Rogers said their successes are being used as a model for other county departments.