Culligan overhauls security awareness training and protects high-risk users with Dune Security

About Culligan

Culligan is a global water treatment and delivery services leader with over 15,000 employees and an annual revenue of $2.4 billion. Founded in 1936, the U.S.-based company operates in 90+ countries and serves over 150 million customers.

• Compared to traditional phishing tests, Dune's User Adaptive testing increased click rate and other failed attack simulations by 3X due to more accurate risk diagnosis.
• Dune’s seamless integrations with Proofpoint TRAP, and larger scale integration with Entra ID and SentinelOne, allowed for a consolidated user risk view for Culligan from activity across their SEG, IAM, and EDR solutions.

Challenge

Legacy security training was time-consuming, costly, and ineffective

As part of an ambitious expansion strategy, Culligan completes over 150 mergers and acquisitions each year — creating a near-constant influx of new users, roles, and potential risks. To continue operating and growing at this scale, timely and effective Security Awareness Training (SAT) is essential.

However, their legacy SAT vendor created more setbacks than solutions. “Everyone received the same training – whether they needed it or not,” says Amir Niaz, Culligan’s VP & CISO. With no regard for specific roles, behaviors, or risk levels, “employees who followed the rules were still getting retrained on the same topics. They felt punished for doing the right thing.”

Newly onboarded employees also waited up to 6 months before receiving training, leaving the company virtually unprotected against expensive – and preventable – security issues. “We had new employees transferring funds to fraudulent accounts – sometimes before they even received training,” says Amir. “We couldn’t afford to wait 6 months to assess risk.”

But it wasn’t just new hires who felt the effects. With thousands of employees across 90+ countries, Culligan needed to effectively track training completion rates, certifications, and deadlines to ensure compliance with regulatory requirements like GDPR and PCI DSS.

To further complicate matters, Culligan’s legacy SAT vendor’s limited dashboards added hours of manual work to reporting. Sorting CSVs manually and distributing reports to managers required a full-time employee's time and effort. This antiquated process not only introduced room for error, but it also consistently revealed that the company hadn’t reduced risk after a campaign.

Amir attempted to work with their existing security awareness training provider to find a solution, but after months of back-and-forth, “the answer was always the same: Take it or leave it.” That’s when he began looking for a modern solution with:

• User Adaptive training to drive real behavior change
• Faster onboarding to protect newly acquired employees
• Better reporting and automation to lighten the team’s workload

That search led them to Dune Security.

/quote-1

Solution

User adaptive risk management that dramatically reduces risk, saves time, and lowers security costs

Culligan partnered with Dune to overhaul their approach to security training. In just 12 weeks, the company rolled out a new role-based, behavior-driven solution, complete with tailored training paths — a night-and-day transformation from their former one-size-fits-all system.

By integrating Dune with Microsoft Entra ID, Culligan automated user provisioning and account setup across Culligan’s systems. New employees are immediately enrolled in tailored modules based on specific risk scenarios, streamlining onboarding and reducing the risk of breaches. 

The identity data pulled in from Entra enabled a baseline understanding of the employee’s Business Impact, which enabled much better baseline risk assessment and specificity of testing and training from day one. Current employees receive role-based training, equipping them to handle threats they are most likely to encounter:

• PCI teams receive compliance modules, ensuring sensitive payment data is handled securely and in alignment with PCI DSS and other relevant regulatory frameworks.
• AI developers receive training on emerging risks like prompt injection and chatbot manipulation, safeguarding critical business operations
• High-risk users with access to financial systems receive frequent phishing simulations — if a user falls for an attempt, access is automatically revoked until they complete retraining, minimizing potential financial losses

{{cta}}

Dune’s flexible reporting tools also reduce manual work for Amir and his team, giving each business unit the autonomy to monitor and manage its own risk proactively – like tracking users and results by region or country to ensure they meet critical legal and compliance regulations.

With customizable dashboards, Culligan’s global security team now has real-time visibility into compliance tracking, with key metrics like user risk scores, upcoming deadlines, and overdue training. Automated alerts notify managers about training updates and compliance gaps, even escalating critical updates to the CIO.

After making the switch to Dune, security awareness is now a part of Culligan’s daily routine. The gamified risk scoring has an unexpected benefit: a high level of user engagement. Amir says employees compare risk scores, competing to see who can stay in the safe zone – turning a frustrating legacy training into bragging rights with their peers.

With Dune’s real-time risk mitigation, Culligan now takes a proactive approach to managing user risk and responding to threats – actively improving user behavior and protecting the business.

/quote-2

Results

Culligan decreased security training administration time by 80% while transforming employee behavior

With Dune, Culligan didn’t just modernize security awareness training – they fundamentally changed how they manage risk, time, and employee engagement across the organization. The result? A true, long-term partnership focused on measurable risk reduction and tangible ROI.

After their migration, Culligan saw an 80% decrease in time spent managing training logistics – while also reducing PCI DSS compliance training completion time to 15 minutes per individual per year, a reduction of time by 75%. Culligan also discovered key vulnerabilities to social engineering through Dune's advanced red team attack simulations, with initial data suggesting a 6% click rate of phishing emails and only a 1% reported phish rate.

In tandem, successful integrations with Proofpoint TRAP, and larger scale integration with Entra ID and SentinelOne are underway, allowing for a consolidated user risk view for Culligan’s team from activity across their SEG, IAM, and EDR solutions. Finally, average risk scores across the organization are beginning to settle at 50, and are expected to drop 25% over the next 3 months through Dune’s targeted training and improved security awareness communications.

Looking ahead, Culligan plans to add Dune’s risk assessments into pre-hire processes for critical roles and expand training to cover AI-related and chatbot-based threats.

/quote-3