Skip to content
Search
Support
 Select language
Cancel

Case Study

Jurlique

At a Glance

Reduced Phish-prone™ Percentage from 12% in Australia and 7% in Hong Kong to less than 4.1% across all geographies

80–100 Phish Alert Button reports per simulated phishing test

Faster investigation and removal of legitimate phishing emails

Trainings delivered in native languages, resulting in greater participation and comprehension

Jurlique Builds a
People-First Security Culture with KnowBe4

Founded in South Australia in 1985, Jurlique is a natural skincare pioneer known for its biodynamic farm in the Adelaide Hills and a global presence that spans Australia, Hong Kong, China and distributor networks across Europe and other regions.

With a global footprint and a lean IT organization, Jurlique wanted a security awareness training (SAT) program that would both educate employees and meaningfully lower phishing risk without bogging people down.

“We’re a team of three covering IT infrastructure and cybersecurity across the world,” says Khai Sufandi, Infrastructure and Cybersecurity Manager at Jurlique. “Automation and ease of use really matter to us.”

Industry

Beauty & Skincare
(Global Retail/ Manufacturing)

Location

Australia

Challenge

Deploy a security awareness training program to meet assessment and insurance expectations while reducing human risk with a small IT team

KnowBe4 Products

Sufandi sought a security awareness training product not because the company had an incident, but because he wanted to prevent one. Annual internal and external security assessments, and increasingly rigorous cyber insurance questionnaires, made it clear that Jurlique needed formal SAT and simulated phishing.

“We didn’t have awareness training or testing campaigns before,” Sufandi says. “Assessments kept asking the same questions, which continued to point to the lack of training employees, so we needed to fill that gap.”

Choosing the Right Partner

KB4-CR-0599-Busy-Young-Professional-Student-Wearing-Glasses-Laptop-800x860-CropJurlique compared multiple vendors before selecting KnowBe4 Security Awareness Training, with usability, automation and management, and localization marked as priorities.

“Language support was key because we have staff in China, and we needed content translated or dubbed in Mandarin,” Sufandi says.

Jurlique ran a proof of concept and found that KnowBe4 had the right combination of simple but effective training, powerful automation and strong language support.

“KnowBe4 clearly met the ‘must have’ list of tools and features that we were looking for,” Sufandi says.

Securing C-suite approval and support was quick, and Sufandi then presented the human risk rationale to the board. “Users are the last line of defense. There’s no such thing as 100% foolproof technical control, so we needed KnowBe4 to help us build up user training to complement what we already have,” Sufandi says.

See KnowBe4 Security Awareness Training in Action

See how you can efficiently safeguard your organization from sophisticated social engineering threats.

Get a Demo

Program Design: Train Yearly, Test Regularly

KB4-CR-0599-happy-young-man-working-on-his-computer-at-his-desk-800x860-CropJurlique began with a regional rollout and a baseline phishing test to get a sense of the organization’s Phish-prone™ Percentage (PPP), the number of test recipients who click on a simulated phish.

The results of the first simulated phishing test showed room for improvement. Jurlique employees in Australia had a 12% PPP, while the Hong Kong location had a 7% PPP.

The team initially tried quarterly SAT to improve its metrics, but saw predictable end-of-cycle cramming and training fatigue. Sufandi and his team pivoted, and today employees complete roughly 10–11 training modules annually, on their own schedule, while simulated phishing tests are deployed twice a month to keep skills sharp throughout the year.

“Even if people fail a test, KnowBe4’s immediate feedback with red-flag indicators and guidance on what they might have looked for turns it into a mini-lesson,” Sufandi says. “It almost gamifies it.”

“Because of KnowBe4 we rank better than most of our peers, giving us the opportunity to look for new ways to improve.”

Khai Sufandi, Infrastructure and Cybersecurity Manager, Jurlique

Measurable Risk Reduction

After three years on the platform, Jurlique’s PPP is an excellent 4.1% across the organization.

“Our global PPP is under the 4.4% KnowBe4 retail benchmark for programs of a similar age,” Sufandi says. “Because of KnowBe4, we rank better than most of our peers, giving us the opportunity to look for new ways to improve.”

80-100
Phish Alert Button reports per simulated phishing test

Part of that continual improvement is Jurlique’s use of the Phish Alert Button (PAB) to accelerate response and analysis. The PAB gives employees a simple way to forward suspicious emails to Sufandi’s team by simply clicking a button in their email client.

Every time Jurlique pushes out a simulated phishing test, Sufandi and his team see 80–100 reports from employees. The company has even seen employees report legitimate, not simulated, phishing emails through the PAB.

“The Phish Alert Button has been a great efficiency gain for our team because it deletes the message from inboxes and packages the original email so we can investigate faster. It makes the process easier, quicker, more efficient,” Sufandi says.

Security-Minded Culture, Not Just Compliance

For Jurlique, SAT is part of a defense-in-depth cyber program and a pragmatic way to build a security-minded culture across a diverse, multilingual workforce.

“KnowBe4’s training is clear and not overly technical, which helps non-technical users,” Sufandi says. “People tell us they use what they learn at work and at home.”

Download the PDF