1884, Ibach, Switzerland
Number of employees:
The Swiss Army Knife has been a functional, high quality, innovative and iconic tool since it was patented by Victorinox in 1897. The range of pocket knives and multi-tools currently comprises over 400 models with up to 80 different functions. Nevertheless, the Swiss Army Knife remains a lightweight solution designed to adapt to multiple needs.
In contrast, traditional security awareness solutions are the opposite. The standard approach to security training has been to manually send one or two of the same phishing tests to all employees. But with the vast majority of all data breaches containing the human element, Tobias Hauser, head of information security at Victorinox, wondered if there was a Swiss Army Knife-equivalent to phishing and security training.
What if one security awareness platform could transcend compliance, create lasting behavior change, and ultimately boost threat detection and response by connecting upskilled employees with security operations?
Now that would be a solution worthy of the legendary Swiss Army Knife’s principles.
Three years ago Tobias Hauser sought true automation after his previous template-based awareness solution proved to be too clumsy and heavy to use effectively. The training software from the established Swiss company was so resource-intensive that the Victorinox IT security team could only manage 2-3 campaigns a year because it required Tobias and his team to:
“It was a lot of work just to do those campaigns, so we started looking for an automated security awareness platform,” said Tobias. “We spoke with a collective of Chief Information Security Officers (CISOs) who regularly meet up and several had Hoxhunt in place and they recommended it.”
Victorinox considered the big players like KnowBe4 and Proofpoint, but ultimately selected Hoxhunt because it could do more with less effort. The platform supported all eight of the languages representing the Victorinox global workforce, and Tobias was very impressed with Hoxhunt’s personalized learning model, in which training automatically adapts to each employee’s role, location, and skill level.
Tobias and his team performed a benchmark phishing test that revealed a roughly 25% phishing simulation failure rate. While this is a fairly typical number for companies before they begin with Hoxhunt, Tobias and his team raised their eyebrows at the figure and aimed to lower it dramatically. Phishing simulation failure rates are commonly linked to risk of a data breach.
With assistance from the Customer Success team at Hoxhunt, after a successful Proof of Concept (POC) with a dozen users, Victorinox got their phishing and awareness program on track within a month, and their failure rate fell below 5% after several months. That failure rate has remained steadily declining, even as participation rates swell and the difficulty level of the phishing simulations increase.
The Hoxhunt platform generates performance and progress results with a Chief Experience Officer (CXO) report that can be readily communicated to the executive board. Lowering risk is the common goal of the CISO and the C-suite and indeed, the security performance metrics at Victorinox demonstrate an always-improving risk posture. This helps Tobias boost security culture and communicate the value of awareness and behavior change to his board.
“We can show the executive board that we have a very low fail rate, falling from over 20% to under 5%, so it makes sense for us to invest in security because we are generating real results and providing a measurable return on investment.”
The automated user performance analysis also helps the security team see which departments, user groups, or individuals could use more personal training and to understand why they click.
Before Hoxhunt, Victorinox advised people to delete suspicious emails. Now, employees are instructed to report them. This, said Tobias, has been a game-changer.
Hoxhunt centralizes the threat reporting button into training. It’s a design principle rooted in established behavioral science, such as the BJ Fogg Behavior Model from Stanford. Constant realistic practice that rewards good actions and coaches away bad ones creates lasting security habits.
Those habits were locked in even to real threat detection with the Instant Feedback feature. When employees report suspicious emails outside the Hoxhunt training program, the Hoxhunt AI immediately analyzes the email and determines whether it is spam, a legitimate message, or a malicious email. If it is malicious, the employee gets a digital reward. When threat reporting becomes a reflex, people wind up regularly detecting real phishing attacks that slip past the technical perimeter. Detecting a real threat directly impacts risk reduction as phishing emails are contained and removed from the system in real time.
By connecting people to the security stack, Hoxhunt has helped strengthen Victorinox’s human firewall and augment the security team’s detection and response capabilities.
“The Hoxhunt reporting button gives us visibility into what kinds of phishing emails are in the system,” said Tobias. “Before Hoxhunt, we didn’t know what kinds of spam and phishing emails our users were getting. We trained users to delete suspicious emails. But now, with Hoxhunt, it’s a game changer because we tell employees to report all suspicious emails. This gives us visibility into ongoing real phishing campaigns so we can react with activities like URL blocking and IP address blacklisting.
Furthermore, Hoxhunt is flexible enough that the security team can get ahead of potential problems. Security team member Ramon Schnüriger, for instance, noted how just the day before, an internal email was flagged as phish by the users because it resembled a phishing email. He generated a feedback rule on the Hoxhunt platform to mark those reported emails automatic as a safe email. Sure enough, over 500 people had reported it as potential SPAM or phish but marked as safe by the Hoxhunt feedback rule. Not only did this functionality ensure business continuity and prevent added burden on the security team and Servicedesk to handle the reported incidents, it revealed the positive effect on security culture Hoxhunt has had.
“I saw that people are aware of Hoxhunt and are using it,” said Ramon. “People are really into this security topic and they know it’s easy to use the Hoxhunt button and so it’s better to report an email once more than once less. What I mean by that is we tell people that it’s better to report a mail as a false positive than to click a phishing mail.”
Tobias noted that Hoxhunt is widely liked by executives and employees. At a recent “lunch and learn” session on security, Tobias was pleasantly surprised to host a good turnout of employees eager to learn more about security. Many praised their security training.
“I can say that for sure our users are trained very well with Hoxhunt and they can act as a human firewall. This helps very much to improve security for the whole company.”
And, importantly, Hoxhunt is designed to adapt to the constantly-changing threat landscape.
“Hoxhunt is really a huge improvement. There will be in the future some complicated phishing attacks, or social engineering, or CEO fraud, or other sophisticated attacks, so it is important that the user knows that attacks like this are ongoing and I know that I can protect the system or the company from a security breach I’m quite impressed that it protects us very much.”