Accell Group makes and sells bicycles and bicycle parts and accessories. They are the European market leader in e-bikes and second largest in bicycle parts and accessories. Well-known bicycle brands in their portfolio include Haibike, Winora, Ghost, Batavus, Koga, Lapierre, Raleigh, Sparta, Babboe and Carqon. XLC is their brand for bicycle parts and accessories.
Industry: Bicycle manufacturing
Headquarters: Netherlands, with locations across Europe
# Employees: 3500
Accell Group desired a dynamic phishing training solution that could automatically keep up with a threat landscape that had rapidly evolved beyond traditional awareness programs’ capacity to contain.
Hoxhunt has helped boost security culture and has delivered excellent security awareness results to Accell Group for over three years, with steadily improving phishing training engagement rates and declining phishing simulation failure rates.
“The product matches my life philosophy which is that people learn from stimulating, positive behavior.”
“I’m really fond of the positive attitude and experience that Hoxhunt gives you when you click on a phishing simulation.It’s not like the screen goes flashing red and alarms go off with some scary text that says: YOUR FAULT, ERROR, YOUR CONTRACT IS TERMINATED! Instead it gives you a quick awareness moment and moves on.”
“I get a lot of positive feedback from management and from employees who really like the program.”
--Fabian De Wit, Senior Security Officer and Hoxhunt Project Leader, Accell Group
Sudden steep elevation in the threat landscape
In the two years leading up to 2017, Fabian De Wit, Senior Security Officer of Accell Group, grew increasingly worried about how quickly phishing attacks were evolving. He’d long understood email-originated breaches were the biggest security risk for companies, and he wanted to level-up awareness at Accell group to match the growing threat. The first solution his security team tried was an expensive, one-off consultancy program. It included a physical penetration test, a social engineering phone, or “vishing” attack and a phishing simulation campaign. The failure rate came back at 58%. This set off some alarm bells.
“It was a wakeup call for all of us, including management,” said Fabian. “I was pointed towards Hoxhunt, and I saw that it was exactly what I needed: it was automated, and it used artificial intelligence to get real phishing emails into the phishing training. It was the right tool at the right time.”
Positive philosophy
Accell Group wanted to change employee email behavior and elevate security culture. The ideal training solution would invite voluntary participation by providing a positive experience along with plenty of practice recognizing and reporting phishing attacks. Cybersecurity didn’t need to be as awful an experience in training as it was a frightening danger in real life.
“The product matches my life philosophy, which is that people learn best from stimulating, positive behavior,” said Fabian. “Yes people learn from their mistakes, but they don’t really learn just from being told how many things they’ve done wrong and being punished for a high fail rate.”
Rewarding good behavior is in Hoxhunt’s product DNA. Traditional security programs focus on failure-based contextural training; the user only receives training after falling for a simulated phishing link. It’s pure negative reinforcement. Hoxhunt, however, congratulates employees for reporting phishing emails, and provides a supportive micro-training experience after a failure.
“I’m really fond of the positive attitude and experience that hoxhunt gives you when you click on a phishing simulation. It’s not like the screen goes flashing red with alarms going off and a scary text that says, YOUR FAULT, ERROR, YOUR CONTRACT IS TERMINATED! Instead it gives you a quick lesson in a nice and positive way and moves on.”
Fabian also found that the automated and personalized nature of Hoxhunt was a distinct advantage. Being able to send more high-quality phishing simulations with less effort and fewer resources was the differentiating factor.
“Hoxhunt is low-maintenance. Maintaining other platforms was cumbersome for a small security team because of all the customization required, from setting up the different phishing-email campaigns to keeping track of the results. Hoxhunt does the heavy lifting for you.”
Good leadership, good culture
Fabian took a strong lead in making sure the Hoxhunt security training program got on track.
“You need someone in the company who is really focused on making awareness with Hoxhunt a success. You need to have an advocate. You cannot buy Hoxhunt and import your employee list and click on the button and go. You have to really go up and sell it.”
First, he made sure the key stakeholders were on board:
Managing with the metrics that matter
Fabian is an innovative security thinker. He understands how to focus on the metrics that matter: participation rates, real reported threat rates, and phishing simulation failure rates. He communicates progress on those metrics across the organization.
He is particularly proud of his company’s high participation rate of around 70%, when the program was completely voluntary. The more people engage, the less they fail and the more they succeed in phishing simulation reporting. In other words, practice makes perfect in terms of lowering risk. Given the importance of the program, Hoxhunt training is mandatory for every employee with an email-address.
Are they perfect yet? No. But as a world-class bicycle company understands, it’s important to embrace the journey.
“There’s a road to travel but we are half way up the mountain. We can look up and see a way to go but we can also look back and see how far we’ve come.”