case study

TomTom navigated human cyber-risk management and a 10-fold increase in real threat detection

Client logo
About icon

Billions of data points. Millions of sources. Hundreds of communities.

TomTom is the mapmaker bringing it all together to build the world’s smartest map. They provide location data and technology to drivers, carmakers, businesses, and developers. Their application-ready maps, routing, real-time traffic, APIs and SDKs enable the dreamers and doers to shape the future of mobility. TomTom has been helping people find their way in the world for over 30 years.

Headquarters: Amsterdam

Employees: 4,000 globally

Challenge icon
Serving some of the largest automotive and technology companies in the world, TomTom needed to quickly achieve regulatory and auditory compliance and level-up their security maturity to satisfy intensified requirements for doing business.
solution icon
Hoxhunt supported TomTom achieving compliance targets and demonstrated measurable human risk reduction with a strategic focus on phishing, security behavior change training, and human risk management.
Key takeaways:
Featured image

Key results

  • Measurable behavior change: across-the-board improvements in simulated phishing reporting skill, engagement, and speed.
  • Simulated threat reporting activity has more than doubled since before Hoxhunt, while simulated phishing failure rates have been cut down by three-quarters.
  • Real threat detection exploded by a factor of 10
  • Accelerated incident response
  • Automation has optimized threat feed intelligence, and reduced SOC workload by multiple FTEs

“We were a small security team tasked with building up security capabilities very quickly, and Hoxhunt has been extremely useful for us. The response platform is a force multiplier that does the initial triage for us without us having to scale out a massive team to look at every email being reported to us by our well-trained employees.”

Destination: compliance. Navigating new business and regulatory terrain.

The personal navigation systems for which TomTom is famous were first stuck to car dashboards in 2004. But their traverse into B2B business territory necessitates delivering the highest standards of security. Doing business with tech giants and global automotive companies --where data breaches can endanger lives and compromise sprawling digital networks—of demand for continuous improvement in security maturity, starting with compliance.

Hoxhunt helped TomTom reach compliance in 12 months. As a result, the TomTom security team has effectively helped make security an integral part of the broader growth strategy and revenue enabler for B2B activity.

“Hoxhunt supported our continuous security  maturity  journey  to  achieve compliance in 12 months,.” —Craig Knox, Director: Platform and Product Security

Driving behavior change

Compliance was the beginning of the journey, not the destination. Ultimately, Craig and the security team knew they needed to demonstrate measurable security behavior change and human risk reduction to attain a competitive advantage for enterprise B2B partnerships.

Hoxhunt helped fuel outstanding behavior change training results:

  • Active users—those who reported a simulated or real threat, or who failed a phishing simulation in the previous 3 months—have skyrocketed to 83%.
  • Success rate—those who successfully reported a phishing simulation—has risen from 24.1% to 60.6%
  • Failure rate—those who failed a phishing simulation—has fallen from 15% to 4%.
  • Miss rate—those who don’t interact with a phishing simulation—dropped from 72.7% to 35.4%

“Our customers were a big, big driver in our push to level up our security posture. We had to show them compliance and we had to show them we have excellent awareness of security topics and of phishing attacks. With our enterprise customers, we absolutely had the drive to mature our security posture to drive new opportunities. But secondly, our automotive customers are becoming much more regulated, and to work with them security is no longer our only concern. Safety is a challenge as well: Can someone hack our software to get into the brakes of a vehicle? Can someone switch off the vehicle through our software?” —Craig Knox, Director: Platform and Product Security

As a company built on innovation and fast research and development, TomTom appreciated how well Hoxhunt allowed employees to level-up their security skills without slowing them down or distracting them from their work. Hoxhunt’s ongoing, personalized micro-trainings seamlessly integrated into corporate workflows and uplifted company security culture.

Automated SOC response puts threat triage on cruise control

After implementing the program, TomTom was met with an enviable problem: the Hoxhunt security behavior change program worked too well! The employee threat reports went from a dozen trickling in per month, to pouring in by the thousand: undeniable proof that their security behavior change program was working.

Handling the deluge in a timely manner would have taken at least two full-time SOC analysts for triage, estimated Craig.

So the TomTom security team enlisted the Hoxhunt Incident Response Platform to do the heavy lifting. Hox Response automatically orchestrates threat data to group and categorize reports in order to accelerate incident response. It let the security team cut out the noise and prioritize real incidents.

 “Hoxhunt has been extremely useful for us as a force multiplier. The response platform is a force multiplier that does the initial triage for us without us having to scale out a massive team to look at every email being reported to us by our well-trained employees.”

TomTom employees use the Hoxhunt button to report thousands of suspicious emails each month. Of those, the Feedback Rules feature allows admins to whitelist internal communications, which are commonly mistaken as phishing emails, in order to avoid interruption of employee workflow and prevent unnecessary threat feed bloat. The Hox Response Platform’s automated data orchestration has let Craig’s team focus only on the highest priority incidents.

This reduced threat feed noise by 99%, which equates to tremendous savings in SOC resources, costs, and time. Indeed, the element of time is crucial to incident response; the faster an incident is addressed, the more likely it's to be neutralized. Or, put another way, the longer an incident can fester in the system, the more damage it will do.

“Rather than building on guess work, where we have a perception of a problem in which we assume we get ‘X’ amounts of spam, commodity phishing, or targeted spear-phishing attacks, we use the Response platform and learn from our people’s reporting to us that for instance 20% of our phishing emails are commodity attacks, and 1% are targeted spear-phishing, and the rest are false negatives. This lets us strategically improve our controls. For instance, we can implement SPF, we can implement DKIM, we can implement DMARC. This sort of threat intelligence is very valuable.”