Bird & Bird cybersecurity rules in favor of the Hoxhunt Human Risk Management Platform

Video testimonial with Martyn Styles, Head of Information Security

The People vs. Legacy SAT tools

Human risk comes down to people, so the security team at Bird & Bird decided to re-start their behavior change program with a people-first approach. They were less focused on KPIs than on the glowing reception of Hoxhunt by everyone at their world-class law firm, headquartered in London. In their experience, such praise was unprecedented for an infosec program.

“For us, the biggest surprise and best statistic about Hoxhunt is that people love it. Usually when you roll out an infosec solution, especially a security training program, you kind of brace yourself for this barrage of criticism from people saying, ‘Oh, I hate this!’ So the fact that we rolled out Hoxhunt one and a half years ago and it's still being used so much is a great outcome. For us, the fact that people still say, “I love Hoxhunt phishing simulations!” is the best statistic of all.” — Martyn Styles, Head of Information Security

‍

“I get emails from people going on maternity leave because they like Hoxhunt so much that they don’t want to lose their stars and they’re worried about their rankings on the leaderboards.” – Dan Fleming, Information Security Specialist

Early on, during bi-weekly security briefings with the firm’s CTO, Hoxhunt’s results were analyzed in detail to track employee feedback and their measurable behavioral improvements. But those discussions are much shorter now, with the program’s established success.

“You know, in the early days we were talking about Hoxhunt a lot, but now it’s just ‘business as usual’, because it works so well.” — Martyn Styles

The burden of evidence: Measurable behavior change and risk reduction

Bird & Bird’s lack of reliance on Hoxhunt’s human risk metrics is ironic, given how exemplary they are. When they compare their rates of reporting, engagement, and failure with their peers on other Infosec teams in the legal industry, the Infosec team said that Bird & Bird’s results often sit at the head of the class.

Key results:

• Resilience ration: Up 613% (from 5.3 to 37.8)
• Success rate: Up 41.7% (from 48% to 68%)
• Failure rate: Down 80% (from 9% to 1.8%)
• Miss rate: Down 33% (from 43% to 28.8%)
• Reporting time: 6h 35m
• Real threat detection: Up 1400% (from 60 reports/month to 900/month)
• Real threat detectors: 60% of users reported a suspicious or malicious email within a year of beginning training
  ‍

‍

Notably, Bird & Bird’s Infosec team weren’t concerned with the failure rate in isolation. They understood that failure rate is a flawed and incomplete measurement of human risk without the context of engagement and simulation content quality.

Still, many companies and SAT tools measure their success solely by failure rate. This focus on failure is doomed to failure. The SAT tool triggers punishment-based, contextual training only on failed simulations, which torpedoes engagement and reduces learning opportunities without nurturing behavior change.

Bird & Bird’s Infosec team weren’t concerned with the failure rate in isolation. They understood that failure rate is a flawed and incomplete measurement of human risk without the context of engagement and simulation content quality.

‍

Bird & Bird sought long-term, active engagement. They chose Hoxhunt partially because it was designed for engagement as a means to behavior change. Hoxhunt rewards good clicks and coaches away the bad with micro-trainings delivered along individualized learning paths. AI-native automation does all the heavy lifting by sending out, and analyzing the results of, 36 simulations per year, as opposed to manually operating a training content library and sending one per quarter.

“The metric we look at most is the Hoxhunt phishing simulation ‘miss rate’ because we want people to always be actively reporting anything that looks suspicious.” — Martyn Styles, Head of Information Security

‍

Bird & Bird’s people-first, behavioral approach fuels their successful human risk management program. Measurable behavior change and risk reduction happened quickly, but only after inspiring and transforming their 3,300+ attorneys and employees into active threat reporters.

Measurable behavior change and risk reduction happened quickly, but only after inspiring and transforming their 3,300+ attorneys and employees into active threat reporters.

‍

The security team vs. Real threat detection

Here’s the thing about behavior change: once it kicks into gear, there’s a deluge of threat reports for the security team to analyze. That’s fine with Bird & Bird. The ideal outcome of a phishing attack is a threat report because it:

• Removes the danger from the system
• Alerts the SOC team to the threat
• Accelerates incident response

“We were getting around 60 potentially malicious emails reported to us a month, but since using Hoxhunt, we receive around 900 emails reports per month. That surge shows us that people are paying attention to message content: If in doubt, click on the Hoxhunt button and then we'll check it out.” – Dan Fleming, Information Security Specialist

Not every threat report detects a malicious email. Spam and legitimate emails can seem ‘phishy’, too. But to de-clutter the threat feed and prevent workflow disruptions, Bird & Bird utilizes the Hoxhunt Feedback Rules feature, which white-lists legitimate mass emails from, say, IT asking people to register their mobile device or marketing emails sent from a legitimate source.

“Feedback rules are important because we encourage people to report suspicious emails and we don’t want to penalize them for being suspicious.” –  Dan Fleming, Information Security Specialist
‍

‍

The Legal Industry vs. Threat Actors

The legal industry faces unusual security challenges. For one, a medium-to-large firm like Bird & Bird can have around 150 Partners, while the largest firms can have over 500, each of whom represents massively attractive targets for threat actors. Hacking a law firm Partner’s account could give access to a trove of crown jewels from clients, be they in the financial industry or beyond. As such, the legal industry sees a disproportionate number of sophisticated and highly targeted phishing attacks along with the mass phishing email campaigns.

“Partners are all owners of the firm, which means we’re effectively working with 150 CEOs. They're obviously very busy, and if an e-mail comes in that looks as if it's from a client, or from someone who’s interested in having some legal work done for them, they’re likely to click on it because they often don't have time to analyse the content.” – Martyn Styles. Head of Information Security

The 2021 Legal Technology Survey Report reported that 25% of respondents affirmed that their firms had experienced a data breach. In the 2022 Survey, 27% of respondents reported their firms had recorded a data breach.

Cybersecurity has become a matter of business necessity in the legal industry. Scrutiny of law firm risk posture has continuously increased since 2015, when the FBI warned large financial institutions to be wary of getting back-doored by hackers via the law firms with whom they share much of their most sensitive data.

Cybersecurity has become a matter of business necessity in the legal industry.

‍

“We see a lot of highly targeted spear-phishing attacks. So what we have to do is try and slow them down and think about it. And that's exactly what we do with Hoxhunt because it's a continuous training program. People are being educated frequently, two or three times a month, in short micro-trainings, rather than a tedious one-hour infosec training package each year that everyone hates.” – Martyn Styles, Head of Information Security

‍