IT Director Warns Commissioners Cybersecurity Gaps Exposed by Phishing Test

Grand Traverse County’s IT director warned commissioners today that internal cybersecurity gaps put county systems and taxpayer data at risk after internal testing showed dozens of employees fell for a simulated phishing attempt. Cliff DuPuy framed the test results as evidence that written policies without enforcement are ineffective and cautioned that a single mistake can have major consequences.

DuPuy told commissioners he faces resistance when trying to tighten controls, saying, "I have to kind of acquiesce and do what I'm told to do." He also described friction with other leaders, stating, "The challenge we have, to be candid with you, is we have department heads and elected officials in different departments that will reach out to elected officials and call Mr. Alger and complain what a bad person I am and impugn my reputation and my experience and say that I'm just being obstructionist." DuPuy invoked the county’s 2024 attack as an example of the kinds of incidents that can follow security lapses, but he did not provide additional technical details about that earlier incident.

Commissioners reacted with concern about both the vulnerability and the internal dynamics that may hinder enforcement. Commissioner TJ Andrews said, "I mean, that feels like a real vulnerability for the county." Commissioner Scott Sieffert framed lax behavior as a fiscal problem, asserting, "It's county tax payers money and it's costing millions and dollars to taxpayers money because people are lazy. They have egos that are bigger than their jobs. We need to fix that." Those cost claims were presented as statements in the study session; the meeting produced no financial breakdowns or supporting invoices.

The discussion took place in a study session that produced no formal decisions. Commissioners and the IT department are expected to revisit cybersecurity policy, enforcement mechanisms, a proposed data loss protection policy, and the county’s approach to artificial intelligence in future meetings. DuPuy reported specific pushback against the proposed data loss protection policy and said that while most employees follow rules, the simulated phishing results show training and enforcement gaps remain.

Outside Grand Traverse, other counties have reported security strains related to cloud email transitions and account compromises, a trend county leaders nationwide are watching as they weigh procurement and managed-service options. Those broader trends underscore the policy choices local officials face: strengthen enforcement and training, invest in managed services, or accept continued operational risk.

For Grand Traverse residents, the immediate implication is that public data and services could be at heightened risk unless the county adopts enforceable policies and follows through with accountability. Commissioners will need to decide whether to require disciplinary measures, fund additional training and monitoring, or pursue technical changes. Residents concerned about their personal information or county operations should monitor upcoming meeting agendas and request documentation on the phishing test results and the county’s 2024 cybersecurity incident as officials move from warning to action.