Headquarter: Bergen, Norway
Offices: 33 in Western Norway
Sparebanken Vest is Norway’s third largest savings bank with more than 700 dedicated and talented employees. Since 1823, Sparebanken Vest has gained the confidence of customers in the western region of Norway. The bank has 33 branch offices in the counties of Vestland and Rogaland. Through Sparebanken Vest’s affiliated product companies, they can provide a complete range of financial services to all their retail and corporate customers. Sparebanken Vest is an independent financial group headquartered in Bergen with a central role in much of the value creation that takes place in Western Norway today.
Banks are among the top targets for hackers, who use phishing attacks to obtain sensitive information. Financial institutes use the most advanced technology to comply with the highest safety protocols, but the human risk element remains an emerging challenge for the industry. After all, 90% of security breaches start with a human error.
Before Hoxhunt, Sparebanken Vest had cybersecurity awareness training to meet compliance requirements, including materials like videos, monthly phishing emails, and tests. A staff that does not get frequent and adequate cybersecurity training can become a massive risk.
The security team had two challenges:
Sparebanken Vest’s security team decided to focus more on the human risk of cybersecurity and do more than awareness: the team’s ultimate goal was to ensure that all employees learn to identify and act on threats.
Sparebanken Vest’s information security team started to look for a solution that employees would want to engage with, and would also prepare them for real-life cyber threats. They wanted to focus more on practice than solely on awareness.
Besides improving engagement rates and reducing risk, finding a fully automated solution was necessary for the team. They understood that using a manual phishing tool would require a lot of manpower, as tailoring the phishing templates is too time-consuming.
Other requirements included that the solution would have a variety of attack types, themes, vectors in different languages, preferably with a lot of personalization and simulations adjusted to the level of each user.
The security team first heard about Hoxhunt through social media, and other companies within the industry also suggested Hoxhunt training to the team.
As the Hoxhunt cybersecurity engagement platform met the bank’s above-mentioned expectations, they started a pilot in August 2018. After the successful pilot, Sparebanken Vest decided to use Hoxhunt for the next three years to have a real impact on people’s learning and behavior and create a strong cybersecurity culture.
According to the bank, the implementation was quick and effortless. Within an hour, Hoxhunt was live in the bank’s Office 365 environment. Since day one, the Hoxhunt Customer Success team has also been helping Sparebanken Vest’s security team to communicate the importance of using Hoxhunt to the employees.
At the moment, the participation rate is improving, and the goal is to reach more than 80%. Employees have been doing great work recognizing and reporting the simulated threats that come from Hoxhunt. Sparebanken Vest thinks that it’s even beneficial when people fail the training because they fail in a safe environment and learn from their mistakes.
Hoxhunt provides a variety of themes and attack types in Sparebanken Vest's vectors and also supports many languages including the company's main working language, Norwegian. Based on the individual’s results, employees always get training that matches their current level.
Since using Hoxhunt, the security team noticed that people started to report actual phishing emails that slipped through their security filters. The team is also quarterly analyzing the results that they receive from the Hoxhunt Customer Success team.
Hoxhunt has been a real conversation starter within Sparebanken Vest. People are reaching out to the security team more frequently, and they talk about phishing and their Hoxhunt experience with each other and the security team.
Earlier, cybersecurity wasn’t a topic over the lunch break. Now, the training sparks thoughts and conversations. The security team felt like that as a result of using Hoxhunt, people want to support their department a lot more because they feel like they play a role in defending the company from threats.
For the future, the team wants to focus on further improving participation and reporting rates. They are also working on a program to reward participants and employees that achieve outstanding results during the training. They also plan to introduce Hoxhunt Minigames to improve people’s skills even further.
Hoxhunt Minigames are fun challenges to educate employees on a variety of topics related to security.