Their highly valuable data made VertiGIS a target for social engineering attacks, and old-school awareness programs were ineffectual at providing lasting behavior change and lowering risk
The Hoxhunt security behavior change program united IT and HR to connect more effectively with employees for measurable results
Cybersecurity is a technical problem that demands human solutions. But HR, business, and information security have traditionally operated from their own bunkers rather than work together. By making security training a joint effort between HR and IT, VertiGIS built bridges between the security team and adjacent business units, putting people first in an innovative approach to cybersecurity behavior change.
The ball got rolling when, after an internal audit revealed a particular geographical area was falling behind in cybersecurity performance, Christoph Ihnenfeld (VP of Global IT and Security) and Frank Bröse (VP of Global HR and Talent, with an emphasis on GDPR) decided to overhaul their cybersecurity awareness strategy.
“Hoxhunt touches both IT and HR: IT for the intelligence from the simulations. HR because it touches every employee. The selection of Hoxhunt was a decision we came to together.” — Christoph Ihnenfeld, VP of Global IT and Security
HR understands people and knows how to execute training programs and corporate communication campaigns. IT knows technology, and security knows how to fit the whole system together for resilience. Why not work together to solve a challenge facing everyone?
They looked beyond one-off compliance solutions to adopt a cybersecurity awareness platform driven by engagement for measurable behavior change. After considering multiple options, they selected Hoxhunt because it was the most modern and most intuitive; and the most likely to harden the human layer against cybersecurity attack.
Traditional training approaches were tried and discarded because they were ultimately ineffectual at creating lasting behavior change. The tests and videos that drove the old-school approach never moved the needle, Frank explained.
“We realized that Hoxhunt’s competitors were rather old-school in their approach. The danger with the other guys is that you do a training and three hours later you are back at your normal work and you forget what you learned… Plus they only really worked in English and, on top of that, they were expensive.” — Frank Bröse, VP of Global HR and Talent, with an emphasis on GDPR
Non-localized, limited in functionality, easily forgettable, and a high price tag? That certainly did not align with the culture of VertiGIS.
Hoxhunt’s automated approach to lowering cybersecurity risk, in contrast, was modern, easy to use, and kept employees engaged in training throughout the year with high-quality content that adapted to their individual skill levels.
An added benefit to the behavior change training model of Hoxhunt is that employees take the knowledge home with them. They do not switch off newly acquired security habits when they get on their private email account. In that way, cybersecurity training contains similar elements to HR-driven wellness programs that boost worker health and productivity.
This kind of mindset helps build a security culture amongst the workforce. “A yearly training is simply not enough,” Christoph said, adding that he thoroughly enjoys how hard — and therefore how effective — Hoxhunt’s phishing simulations can be.
“I really like the intelligence behind your trainings. I am ranking in the middle of the Hoxhunt leaderboards, which as a CISO is a shame! But the simulations are so good that even I click on the wrong things sometimes. This is really outstanding." — Christoph Ihnenfeld
“The most recent one to go around was one that simulated auditors. It was really tricky, very well executed, and I had three separate people contacting me about whether we actually have new auditors. The variety of these simulations is what makes Hoxhunt different. I’ve found that colleagues sit at their desk and talk with their neighbours about how good the Hoxhunt method is.” — Frank Bröse
Perhaps two decades ago, HR began securing executive buy-in for wellness and development programs because they demonstrated long-term boosts to employee productivity. This followed the tradition of occupational health and safety departments protecting workers on-site and off-site to promote productivity and avoid shutdowns and liability. This history lesson contains important parallels to the relatively new field of cybersecurity awareness and behavior change training, and the opportunity to make it a joint HR / IT function as VertiGIS has done.
Phishing awareness and digital hygiene are more than organizational problems. They affect individuals at work and at home. Educating employees on phishing protects them while ultimately strengthening organizational defenses. Therefore, the evolution of organizational health, safety and wellness as an HR priority is a glimpse into the future of cybersecurity as a pillar of holistic Wellness in the digital age.
We spend a third of our lives asleep or on the toilet. The rest of it is online, connected to a device, and at work. Threat actors pose a consistently clear and present danger to people every time they enter the digital universe. And yet most remain unequipped to properly respond to a phishing attack at home or at the office.
There’s a strong chance that you’ve interacted with VertiGIS and not known about it. They’re one of the premier field data collection software companies in the world, and they’re a big part of how the items you know and love get to you. Their software can analyze, manage, and even visualize the processes it takes for items — be it critical industries like gas and electricity or the raw materials needed to make your favorite pair of basketball shoes — to get from point A to point B. Since their inception in 2017, the company has grown to over 630 employees spread out over 6 countries. With 1,600 customers worldwide, their software is what runs an integral part of the global supply chain. But because of all the important, sensitive, logistical data they accumulate, they’re also targets for hackers and malicious actors.