Written by Wouter Avondstondt

How to move from phishing tests to a security culture

Why we partner with Hoxhunt for Security Culture creation

We believe that phishing tests are a great way to prove a point, but a bad way to create lasting security awareness or even better: a security culture. To have an impact on our user base when it comes to security maturity, a long-term program is needed. Such a program has to be based on a content platform that stimulates users to interact and to learn. Gamification is key to make this fun. Toreon has partnered with Hoxhunt to provide our clients with exactly such an experience.

We believe that in order to increase the security maturity of our organizations, we have to embrace a certain ‘commoditization’ of security. With this I mean, that we look for tools to take some of the security efforts away from us, to automate those efforts. A great example of this is the use of security tools in cloud environments such as Microsoft 365. Common tools allow us to quickly implement security controls and not reinvent the wheel for every client.

Revisit our seminar

On June 10, Toreon gave an online seminar together with Hoxhunt and Lineas on the importance of a security culture in an organization. If you missed this seminar or would like to take another look at the slides, please contact us and we will send them your way.

When it comes to phishing tests, we have noticed the following: a client asking our tech team for a phishing test, wants one of these two things.

First, they may want to test their security defence. The phishing test is part of a larger Red Team approach. It serves to find at least one hole in the defences to exploit. From there, the Red Teaming activity continues.
Second, clients want to do a phishing test to increase awareness with their users. This is where we think there is a problem.

A classic phishing test is a one-off. It shows that either your people do well or they do badly. People that clicked the phishing link are then warned and hopefully educated to do better.

In our view, this process doesn’t work. People are not motivated by negative stimuli. Especially in a professional setting, it damages the ego to be reprimanded for a quick click on a link.

That’s why we like the positive gamified approach of Hoxhunt’s platform.

Users are onboarded and challenged to ‘find the phishing mails’ and identify them to the platform. Efforts are rewarded and lead to short lessons about how to recognize phishing attempts. A user is taken on a longer ride of security culture improvement, being served phishing attempts with increasing sophistication and getting better at identifying them.

This works!

In the end, everyone becomes the security champion of their own mailbox, browser and general endpoint environment. That personal engagement and responsibility combined with increased expertise in every user… is security culture.