Fostplus noticed a big decrease in phishing clicks only after a few months

"At Fost Plus, we have always been very aware of the online dangers," says Jeroen Van de Sande, IT Manager at Fost Plus. "We already spent quite a bit of time and energy on cyber awareness for our employees, but these were never structural campaigns.

"The effect of traditional campaigns therefore always evaporated over time. As a result, we occasionally noticed how some employees allowed themselves to be caught by phishing emails."

"A real security problem or data breach never resulted from this," says Van de Sande, "but we prefer to tackle potential risks rather than wait for one to really strike. With the corona crisis, we saw the volume of phishing emails increase so we couldn't wait any longer."

Phishing proved to be a difficult problem to assess at Fost Plus. The network administrators were aware of an increasing number of attacks, but the results of the first phishing simulation set up by Phished were unexpected: 49% of all employees who opened the mail were caught by the test. A surprise for Fost Plus, but in reality a common result for targeted baseline simulations by Phished.

A wake-up call? "We were indeed shocked by the result, although it is in line with other campaigns by Phished" says Van de Sande. "The campaigns are so cleverly designed that a maximum of people would just fall for it. This brought the realisation that such training would be useful within our organisation."

In the last broad phishing test, the phishing rate had already dropped to 11%, an acceptable decrease according to Van de Sande: "The fact that we are seeing such a large decrease after six months is satisfying - the training clearly has an impact. Our employees are now more aware of possible cyber risks."

There is also a reason why 11% of the employees still click on phishing links after 6 months: Fost Plus resolutely opts for a direct approach, presenting employees with the most difficult simulations, because hackers have no pity either. For example, we use simulations about 'updates regarding the corona measures'," Van de Sande explains.

"Moreover, our employees were not warned when we sent out our first simulation. We wanted to capitalise on the surprise effect," says Van de Sande. "We received a lot of reactions to this. A few days later, we sent out an e-mail explaining our collaboration with Phished, but we try not to pay too much attention to it. We want the next simulation to be a bit of a surprise as well so that we can gauge the response as truthfully as possible."

Although Fost Plus had never been the victim of a major leak or virus, the cyber-awareness of many employees was still insufficiently developed. With the help of regular, automated simulations, susceptibility to phishing was drastically reduced. Everyone in the organisation was almost immediately convinced of the usefulness of the training platform.

Cyber awareness is now much more prevalent within Fost Plus, resulting in better reflexes when a user comes face-to-face with phishing and other threats, and better use of the internal spam button - which in all respects means a more streamlined operation for the IT Service Desk.