WAGO’s security awareness campaign reached 30 countries and even the kids at home
Inside WAGO and SoSafe’s cybersecurity awareness campaign that is global in scale yet personal in reach.
Behavior Score:
From 65 to 91 (out of 100)
WAGO is a family-owned company founded in 1951 in Minden, Germany, after two brothers-in-law bought a patent they discovered while playing cards. Since then, it has grown into a global name in electrical interconnections, automation, and interface electronics—with 9,000 employees in 80 countries.
David Kreft, WAGO’s CISO, leads information security, data protection, and business continuity. David and his team integrated security awareness into daily routines across 30 countries and 21 languages—even extending it to employees’ families.
At HuFiCon 2022, David shared how WAGO built a campaign that reached deeply across teams and time zones, while staying human at its core. This is a story of how awareness works best when it’s both top-down and bottom-up—and when it starts with people.
Inside WAGO’s inboxes
Email is still the most common way threats reach employees—and David knows that fighting back takes more than filters and firewalls. It means understanding how people actually behave when those threats land in their inbox.
David explained that 11 out of the 15 top cyber threats involve email—referencing the INESA threat landscape. “Email is directly delivered to the table of your employees,” he said, “and they need only one click to get some malware, to lose their credentials…”
To show the scale of the challenge, he walked us through WAGO’s monthly email threat report. His team filters out 80% of incoming emails using IP reputation, content analysis, attachments, and URLs. Known threats rarely make it through. But the real concern? Over 11,000 emails carried unknown risks via malicious links or attachments.
David made it clear: “It’s unrealistic to expect users to know what’s behind a link.”
Phishing remains the most common attack method, responsible for 60% of incidents. Half of those involve a URL. David posed the question: “And why is URL a problem?” He explained: “…often the criminals add malicious content to the URL after delivery. You get the email, click the link—nothing. One day later—bang.”
He shared a striking example: an employee clicked the same malicious email 11 times. “What’s going on in your brain if you try 11 times to get the same content?” he asked. Attackers use this behaviour to simulate a full customer journey—and refine their tactics.
That’s why his team reaches out directly to users when something like this happens. “This is a moment when you need to talk to your people, understand what happened, and learn from them.”
Data from WAGO’s 20 most-targeted email inboxes showed that the most attacked inbox received 20,000 emails in a single month—many of them threats. Shared or group inboxes posed even higher risks.
To manage that risk, WAGO isolates these inboxes. Sandboxing allows suspicious links to open in a secure, isolated environment—so if something triggers, it stays contained. But, as David noted, some attackers delay activation, updating the link after delivery. In those cases, even a sandbox might not catch it in time. That’s why David and his team knew awareness had to be part of the solution—starting with the people behind the clicks.
10,000m, 5,000m, and 1,000m racecourse
David Kreft compared WAGO’s Information Security framework to race tracks—10K, 5K, and 1K meters. “This structure is very important for us to handle worldwide—otherwise, you have no chance,” he said.
At the strategic level, the framework defines WAGO’s overall objectives and responsibilities for information security.
At the tactical level, it outlines company-wide guidelines tailored to specific teams. Within this level sits WAGO’s approach to Information Security Awareness. “There we describe how we fulfill awareness inside WAGO—what kind of KPIs we need, what the process for awareness looks like, and so on,” he said.
At the operational level, these guidelines are put into practice every day.
In 2019, WAGO laid the groundwork for a long-term awareness campaign. The team mapped different types of learning—such as e-learning—against levels of commitment to security. They also aligned communication formats—such as newsletters or incident-based responses—with stages of employee development, knowing that the right type of message depends on where someone is in their awareness journey.
Their roadmap brought together both security communication and security learning. Through a balanced mix of messages, channels, and formats, WAGO encouraged employees to make security part of their daily lives.
As part of the communication strategy—specifically Phase 1 of the awareness campaign—they created a target-group-specific communications plan. It started with management and cascaded down through the organisation, clearly outlining the where, why, and how of the awareness strategy.
David reflected on the experience: “We make our own movie, we have our own brain.” But they quickly realised, “The problem from this campaign was—it’s very time-consuming and expensive.”
With the foundation in place, WAGO looked for a partner who could turn this roadmap into real-world impact. The partner of choice: SoSafe.
From planning to practice with SoSafe
Once WAGO had secured alignment from stakeholders, they launched their first phishing test campaign with SoSafe—a two-week simulation designed to assess initial awareness.
“We normally use 10 phishing templates in the local language and 10 in English,” said David.
With SoSafe’s support, WAGO moved beyond basic simulations. The solution delivered continuously updated phishing templates and e-learning lessons, covering emerging topics like ChatGPT risks and newly identified threats. The behaviour-based simulations adapt to each employee’s cybersecurity maturity, making phishing training more relevant and effective.
David tracked click rates by cost centre, business unit, and region, along with overdue e-learnings. The team’s efforts paid off: phishing click rates dropped, and WAGO’s Behavior Score rose from 65 to 91, reflecting stronger risk awareness.
A year later, WAGO scaled the programme to 30 countries, 21 languages, and 6,000 users. They rolled it out in two phases, starting with production plants and nine subsidiaries, followed by the rest. David emphasized the importance of carefully coordinating phishing template selection, as it can be a sensitive issue across different regions.
WAGO’s reason for choosing SoSafe came down to more than features. As David put it, “We chose SoSafe for their evolving cybersecurity solutions, which perfectly addressed our workforce’s diverse needs, making SoSafe more of a partner than a vendor.”
David’s team introduced the idea of extending cybersecurity training beyond employees to include their families and friends. “We have the private world and the business world, and we have to connect both. Otherwise, it doesn’t work,” he said. To bridge that gap, WAGO organized sessions for parents and children. “We explain white hacking, black hacking, the gray area—maybe they (the kids) even see a career path on the white side,” said David.WAGO’s experience highlights how targeted awareness, combined with SoSafe’s behaviour-driven Phishing Simulations and Personalized E-learning, measurably reduces cyber risk. By integrating SoSafe’s solution, WAGO transformed employee behaviour worldwide—proving that security starts with people.
Scale your security
culture with ease
Reports 
Guides 
Blog 
Glossary 
Perks 
Customer stories 
Webinars 
CISO Help Hotline 
Replays 
Podcast 
All events 
Human Firewall Conference 
Danger Lab 
Phishing game 
Test your cyber resilience 
Why SoSafe 
Careers 
Product news 
News & press 
Contact 
Security & trust 