case study

How Elisa built awareness into the security stack to boost detection and response while preventing breaches

Client logo
About icon
About

Founded 140 years ago, Elisa is Finland’s leading telecommunications and digital services company, a 5G network pioneer serving over 2.8 million customers in Finland, Estonia, and beyond.

 

Industry: Telecom, as well as industrial software, virtual collaboration, and cybersecurity services

Headquarters: Finland

Employees: Over 5,300 in over 20 countries

Challenge icon
Challenge
Standard compliance-driven awareness solutions were too resource-intensive to transform culture, measurably lower risk, or integrate into the security stack as a core component of detection and response.
solution icon
Solution
Under the supervision of Finland’s CISO of the Year, Teemu Mäkelä, Elisa has made Hoxhunt cybersecurity training and user-reported threats a core component of the security stack, transforming culture and security risk posture sustainably for over six years.
Key takeaways:
Featured image
“We started with security awareness but later, as the Hoxhunt Incident Response Platform developed, we integrated awareness results into our core security stack. Our awareness threat intelligence helps drive our board reporting and security strategy. As our employees began reporting more and more real threats, we realized we were developing a human sensor network. With the automation of the Incident Response Platform, Hoxhunt provided a good way to connect the technology with the people and processes of our security system and improve overall threat detection and response.”

Teemu Mäkelä, CISO of Elisa
(Nominated as CISO of the Year in 2020)

From awareness to risk reduction and behavior change

In 2016, Teemu Mäkelä, CISO of Elisa, saw that phishing threats were evolving, but security awareness solutions were stagnant. Social engineers were targeting people, but awareness programs were mainly targeting compliance. This was a particular problem for Elisa, whose global growth was expanding their attack surface and enlarging the threat of Business Email Compromise (BEC) attacks—still the most prolific and costly form of cyberattack. 

So Elisa auditioned several value-driven security programs that would actually lower risk and transform security culture. 

“Building a strong security culture is the most important thing for a security leader to do,” said Teemu, recounting how Elisa has learned to approach cybersecurity as a business risk in which everyone shares responsibility, from the board down. “I think Hoxhunt is one of the key ways you can influence the entire organization on security culture.”

Eventually, Elisa would indeed select Hoxhunt and transform employees into human sensors comprising an intelligent detection and response engine. Furthermore, security training results have become key to cybersecurity strategy and key performance indicators at Elisa. 

But while sampling various premium security training solutions six years ago, Elisa discovered that not all awareness and training is created equal.

Hoxhunt’s differentiation: Automation and personalization to transform human risk 

Elisa first invested in costly, industry-standard security training platforms. The awareness videos, though well-produced, were irrelevant to their employees and ineffective at behavior change. And other platforms’ libraries of simulation templates required so much time and resources to operate that Elisa was advised to hire external vendors to reach the level of security training they desired. No thanks.

“The difference between the automated Hoxhunt solution and a typical, manual phishing platform is huge,” said Teemu. “We buy Hoxhunt’s security awareness as a service, and we don’t have to do anything for the simulations to flow.”

Teemu pivoted to Hoxhunt for its blend of automation and customization, along with the human touch of a dedicated customer success team. Hoxhunt straightaway delivered outstanding onboarding and engagement rates followed by next-level awareness results. Even after six years with Hoxhunt--with employees being drilled on dozens of personalized phishing simulations each year that automatically adapt to their skills and background—Elisa has maintained exceptional engagement and performance. 

“One of the main reasons we selected Hoxhunt was because its program, as a service, is totally automated,” said Teemu. “And then its learning path is created for the individual; you don’t send the same simulation at the same time to everyone. You challenge people to learn at the edge of their knowledge on customized learning paths that are totally automated for each individual.”

The kicker? People loved it. Still do, in fact.

Today, the members of the executive leadership team are known to praise Hoxhunt without prompting at board meetings. Meanwhile, NPS survey results reflect the leadership team’s enthusiasm across the organization. Using the Hoxhunt leaderboards, top cybersecurity performers are rewarded with gift cards each quarter. 

And Hoxhunt is the only awareness and training solution recommended by Elisa security services to customers.

 

Beyond awareness and behavior change: Turning employees into a human sensor network

Early on, Elisa performed a phishing simulation benchmark study. Non-Hoxhunt users had a 20% fail rate of a simple IT phishing simulation. The Hoxhunt-user simulation fail rate was a fraction of that at around 4%. Those astonishing results have been confirmed by a more recent benchmark performed with Elisa’s customers. A single phishing simulation sent to 3,000 employees at 12 participating organizations triggered a fail rate of 19% from non-Hoxhunt users. And the fail rate for Hoxhunt users? Below 1%. [TM2] [EB3] 

“It’s important to consider that in addition to this being security and awareness training, it also turns people into sensors, so it improves your threat detection capability at the same time,” said Teemu. “Because phishing is an attack on people, you are able to first detect those attacks best through your people.”

Over the past six years with Hoxhunt—during which time Teemu has been recognized as Finland’s CISO of the Year and Elisa recognized as a model of security culture and excellence in security services—Elisa has consistently demonstrated an enviably low phishing simulation failure rate of under 2% and a very high engagement rate of over 70%. So over time, even as the simulations get harder and the global workforce has enlarged, their performance has improved. The resulting resilience score of over 33—engagement divided by failure rate—is leagues ahead of most global companies, who strive for a score of 14. 

Elisa’s real threat reporting rates, meanwhile, are exceptionally high. This is a critical metric because each real threat report effectively removes that threat—be it ransomware or a botnet or a BEC attack--from the system, and alerts the SOC team of the danger. 

 

Connecting threat reports to the security stack

Eventually, Elisa was confronted with a problem every security team hopes to have: their awareness program was working too well. Reporting threats was so quick, easy, and without friction that individuals could effectively become human sensors. The mounting threat reports required an added layer of analysis and as such, Hoxhunt expanded and further developed its platform services to provide added value and benefit with the Incident Response Platform. 

“It’s super easy to use, and provides a lot of good input into the IR process,” said Teemu. [TM4] [EB5] 

Incident Reponse analyzes millions of real threat reports and, using patented machine learning algorithms, categorizes and prioritizes them for further action. This has been a game changer for the strategic security design of Teemu’s program.

“We started with awareness but later, as the Hoxhunt Incident Response Platform developed, we integrated awareness results into our core security stack,” he explained. “Our awareness threat intelligence helps drive our board reporting and security strategy. As our employees began reporting more and more real threats, we realized we were developing a human sensor network. With the automation of the Incident Response Platform, Hoxhunt provided a good way to connect the technology with the people and processes of our security system, and improve threat detection and response.”

Teemu noted that the Hoxhunt Incident Response Platform transforms awareness into actionable threat intelligence as employees’ threat reports are automatically categorized and prioritized for the security team.  Security operations at Elisa now make playbooks based on the results of the Incident Response Platform.