With 20,8 billion euros of added value, 1400 companies, and 4,5% of Belgian GDP, Port of Antwerp-Bruges is the second largest port in Europe and a true world port. It is an important lifeline for the Belgian economy. International connections and sustainable growth play an important role in reinforcing its role as a world port, and as a lever for a sustainable future, with the ambition to reconcile people, climate, and the economy, together.
“The end goal is a cultural shift, which means that a cybersecurity awareness program should be more ambitious than just creating awareness. It should lead to behavior change. To accomplish this, we found the perfect partner in Hoxhunt. The combination of gamification, a personal and automated learning experience, and efficient incident response capabilities makes Hoxhunt stand head and shoulders above the competition. Thanks to Hoxhunt, the awareness level of our workfoce is at a consistent and high level, while the playful elements keep attrition low.” -- Yannick Herrebaut, CISO
Europe’s second-largest port is a pillar of Belgium’s critical infrastructure. That sector is facing increasingly sophisticated cyberattacks in today’s geopolitical landscape and AI-driven climate of advanced social engineering tactics.
“The board and our internal audit team look at a broad range of risks for the company, from climate change to container capacity to cybersecurity. We track the top 15 risks, of which cybersecurity is number one.
Port of Antwerp-Bruges recognized the rise of cyber-attacks when they reinvented their IT department back in 2018 from a perceived cost center to an important business driver. Core to this vision, Yannick Herrebaut’s role as the organization’s first CISO was created, along with the Cyber Resilience Department. They were established to address the evolving threat landscape, and have come to focus on human-targeted attacks.
One of Yannick’s first initiatives as CISO was to create a user awareness program to foster a cybersecurity culture within the organization. A one time phishing benchmark that was conducted earlier showed some concerning results. It was clear that the employees were quite gullible and relied too much on technical measures to keep their company assets and data secure.
“The user awareness score reflects the effectiveness of our user awareness program in reducing human cybersecurity risks. We track metrics such as click rates on simulated phishing emails, completion rates for security training, and improvements in employee behavior over time. We also monitor the number of reported incidents and the level of employee engagement with security initiatives. During the time we used a different tool, we only sent out 4 generic campaigns per year. The results varied greatly, depending on the difficulty of the template and some other factors. However, since we’ve been using Hoxhunt, we noticed a stable and high level of user awareness.”
The process of selecting the right human cyber-risk management product was challenging. They needed to consider:
The first tool they selected was an e-learning SAT tool, but after two years of using this product, it became apparent that it came with some drawbacks:
Hoxhunt's solution shifted training from the one-size-fits-all legacy SAT model to a personalized learning journey focused on good cyber-behavior: threat reporting. Enabled by AI, the platform was easy to use for the admins, and the gamified content was enjoyable for employees. Engagement rates and positive feedback soared. Yannick credits the success to:
The success of Hoxhunt was reflected in the organization's awareness score, which Yannick carefully developed as a corporate KPI. Previously, the awareness score varied greatly between 24% and 83%, but with Hoxhunt, it quickly reached over 90% and has stayed there for more than a year. Secure email behavior became standard operating procedure.
"The continuous and engaging nature of Hoxhunt's phishing simulations, along with the measurable improvements in our awareness and performance metrics, have greatly contributed to our organization's cybersecurity culture and overall security posture."
Being able to report on progress is important to both Port of Antwerp-Bruges as well as the Cyber Resilience Department. Between the people, processes, and technology composing the security stack, Yannick and the board focus on the human aspect of cybersecurity, still one of the biggest risk factors.
“KPIs in awareness and security behavior change are important because you should know what’s happening with your program and be able to report risks and trends to the board. You need good metrics to guide good decisions. I cannot walk into a board meeting and say, ‘Thank you for the money, I promise I will spend it wisely.’ I must give something in return. I believe in this approach, and I appreciate the extensive reporting capabilities that Hoxhunt provides because they help me tell the story to management more effectively.”
The Port has a dynamic list of 15 different existential risks to the organization, ranging from cybersecurity to climate change and capacity for shipping containers. This past year, cybersecurity emerged as the top risk to the business. And social engineering is one of the top challenges they seek to mitigate within cybersecurity.
Additionally, they highlight risks to mission-critical assets, compliance efforts related to the European NIS Directive, and overall information security policy. Compliance with these regulations is crucial for avoiding legal and financial consequences.
“Overall, the board is highly interested in our initiatives and results, as cybersecurity has been identified as the top risk for the company. By sharing these KPIs and demonstrating our progress in mitigating human cybersecurity risks, we ensure that cybersecurity remains a top priority and receive the necessary support and resources to continue our efforts.”
The behavior change training has conferred measurable impact on threat detection and human cyber-risk reduction. There was a tremendous upswell in the threat feed as employees began reporting suspicious emails as a matter of habit.
Over 2/3 of active Hoxhunt participants reported a suspicious or malicious email within one year of commencing training. There is no better outcome of a phishing attack than a threat report. And there’s no better proof of behavior change than real threat detection.
A threat report removes the danger from the system and alerts the SOC team so they can eliminate or contain the threat before the damage spreads.
Rather than be overwhelmed by the response, the SOC team leverages Hoxhunt’s AI-enabled Response Platform. It does the work of multiple FTEs of SOC analysts by automatically orchestrating the threat feed data to categorize reports and prioritize incidents. The result is significantly augmented and accelerated threat detection and response capabilities.
“We have seen a change by orders of magnitude in our employees’ online behavior with Hoxhunt in terms of real threat detection. This proves that the training is having a real-world effect on people, and is measurably reducing our cyber-risk. The fact that the Hoxhunt platform automatically analyzes these threat reports means we can optimize our efficiency and the quality of our SOC team’s work.”