Headquarter: Espoo, Finland
Number of Employees: 13 000
Founded: 2013
Website: www.valmet.com
Valmet's security team promoting awareness against cyber threats did not teach users how to behave when they encounter suspicious emails.
Rolling out Hoxhunt to all employees and partners to train them to recognize and act on threats.
Valmet is a leading global developer and supplier of technologies, automation systems, and services for the pulp, paper, and energy industries. Valmet’s history goes back to over two hundred years as an industrial operator, but the company went through a demerger of the pulp, paper, and power businesses from Metso Group in 2013.
Besides the high quality of Valmet’s products and services, information security is a highly important selling point for the company. For Valmet, information security is a competitive advantage, as most manufacturing plants are particularly interested in ensuring that their businesses and processes run without the intervention of an attack. While keeping its customers’ information safe is a top priority, naturally, Valmet is also determined to protect its own assets from cyber threats.
The information security team has acknowledged that today most attacks do not aim to penetrate the company’s defenses through weak links in its technology. Instead, attackers target employees using various social engineering techniques. This is why Valmet wanted to empower its people with the right knowledge and skills to tackle risks that they might encounter both at the workplace and home whenever they’re online.
Before working with Hoxhunt, Valmet’s information security team was promoting cybersecurity awareness internally. The information security team created email campaigns, including recommendations and communication about possible threats, such as phishing attacks. Nevertheless, the approach lacked continuity. It did not happen frequently enough to have a real impact. Also, the security team could not measure whether people learn how to behave when they encounter something suspicious.
The team wanted to have training in place that would make a difference by equipping people with the necessary skills to recognize real-life threats such as phishing emails and social engineering techniques. The team realized that frequent training is the key to prevent people from clicking on dangerous links, attachments, or replying to suspicious emails.
Once they encountered the phishing training programs available on the market, they became interested in working with Hoxhunt. Other Finland-based companies have been using Hoxhunt’s security engagement platform for a while now, and they have seen outstanding results. The positive feedback from others made Valmet’s security team feel confident about discovering how Hoxhunt could impact their cybersecurity training.
For Valmet, the two most important elements of cybersecurity training were continuity and reporting.
The Valmet team understood that making a sustained change is not possible with only infrequent training and awareness communication emails. They wanted to use a solution that offers frequent training. Hoxhunt’s approach of numerous microtraining moments that do not disturb the employees’ workflow met the company’s requirement.
Besides its frequency, the Hoxhunt training is also individualized and tailored to the employee’s own level. The training simulates real-life attacks using common phishing, location-targeted phishing, or targeted co-worker phishing vectors. The simulations take no longer than half a minute to report through the Hoxhunt plugin.
The other requirement was reporting for two different reasons, one of which is the simplicity of reporting all suspicious emails and threats through the Hoxhunt plugin. Earlier, the need for people to call the service desk to report anything odd was inconvenient. Now, the team gets notified about incidents immediately; thus, they take action whenever it’s necessary.
Now, the information security team at Valmet also has invaluable data at their disposal regarding how people perform in training.
In addition to continuity and reporting, the security team appreciated the Hoxhunt security training’s gamified approach. The company’s HR department provided it with positive feedback early in the process.
Since its introduction, more than 9,000 Valmet employees have been enrolled in the Hoxhunt training. The company aims to onboard another 4,000 users shortly. Right from the start, Valmet decided to include all employees, subcontractors, and partners. They wanted to ensure that all stakeholders have the opportunity to learn the essentials about cybersecurity and how to act when one encounters threats. From the beginning, the Hoxhunt Customer Success team has been supporting Valmet’s security team to ensure that they get the best possible results from the training.
Out of the 9,000 participants, 60.9% are active users. Nevertheless, in the future, the security team aims to increase participation even further with the help of the Hoxhunt Customer Success team. The fail rate has been 3.7%, and though it has been decreasing steadily, the company is working with Hoxhunt to reduce it to 2%.
Using Hoxhunt reduced the failure rate among employees to 3.7% by the end of December 2019.
The team has been reporting the results quarterly to the information security management, risk management, legal, HR, and IT management teams as well as to internal auditors.
The training has received positive feedback from the employees. Many have enjoyed the positive approach of the Hoxhunt game, and they want to participate and achieve great results. The results show that the employees have been learning to recognize threats. Earlier, when the information security team was creating awareness campaigns, they did not have the tools to measure whether employees were learning or not.
Currently, Valmet and Hoxhunt have set mutual goals for the future, such as onboarding the rest of the employees, improving the percentage of actively engaged users, improving communication (which is a crucial element in activating users), improving the failure and success rates, and working on a rewarding program.