case study

How Qualcomm used Hoxhunt to turn their 1,000 highest-risk employees into their top performers

Client logo
About

Qualcomm Inc (Qualcomm) is a leader in developing and delivering innovative digital wireless communications products and services based on CDMA and other advanced technologies. Today, Qualcomm has 170 offices in more than 30 countries.

Employees: 50,000+

Industry: Telecom

Headquarters: San Diego, California

Challenge

Recognizing that 4% of users are responsible for 80% of phishing incidents, Qualcomm wanted to reform their riskiest employees with targeted, gamified security awareness training.

Solution

Qualcomm’s CSO50 Award-winning "Worst-to-First Employee Phishing Performance" initiative transformed their 1,000 highest-risk employees into model cyber citizens via enrollment into Hoxhunt. Their success led to an org-wide rollout to 48,000 employees, measurably reducing human risk by orders of magnitude.

Key takeaways:
Featured image
  • Qualcomm identified their 1,000 riskiest employees and enrolled them into Hoxhunt
  • Within months, the "Risky 1K" showed results superior to the rest of the 50K organization
  • The success of this experiment won support for a general rollout of Hoxhunt
  • The experiment and general rollout's cultural transformation--including a 6X improvement in measurable resilience--won a CSO50 Award
Hoxhunt helped us strengthen each link in the software supply chain against social engineering attacks... We’d encourage everyone to adopt the Hoxhunt adaptive phishing model. The results are self-evident. From employees to large enterprises, we can all do our share to keep our ecosystem safe and secure." -- Kris Virtue, CISO

Why target the most vulnerable users with adaptive phishing training?

Research has shown that 4/5 of cyber events are caused by just 4% of employees. Qualcomm knew that if they could find and reach that subset of repeat offenders with targeted security awareness training--and build cyber habits that correct their risky behaviors--then they could transform their risk posture.

Qualcomm enrolled their riskiest 1,000 employees into Hoxhunt training for an experimental trial. The Risky 1K's results would be compared against the rest of the company's in periodic benchmark phishing tests.

Cyentia research found that most security incidents are caused by a subset of “repeat offenders” who are especially prone to clicking on phishing links. Rather than giving up on the repeat clickers and putting them into phishing prison, Qualcomm empowered them with a gamified, reward-based Hoxhunt program.

Data security is a differentiating business factor in their B2C and B2B business lines. Breaches can inconvenience and imperil customers while impacting long-term business costs associated with e.g. remediation, brand damage, share price, regulatory and legal fees, and customer retention and acquisition.

Human cyber-risk is growing by the day in the age of blackhat AI as more and more phishing attacks of increasing sophistication are bypassing filters more frequently. Qualcomm wanted to bolster their human firewall at its weakest points with targeted security awareness and phishing training. They sought to measure and manage their riskiest employees without compromising business operations or negatively impacting culture.

How did Qualcomm start transforming their culture

1,000 employees were selected from the ~ 50,000 population to participate with Hoxhunt training. Selected employees were considered at the highest risk for falling victim to social engineering as they had failed 3 or more of the previous 6 phishing exercises and worked in roles that were frequently targeted with phishing attacks, such as accounts payable, sales/marketing, or executive support.  

The Risky 1K's phishing simulation failure rate was between 30-50%, and their reporting rate was negligible before enrollment into the benchmark phishing test.

CSO50 Award-Winning Results

Within months, the Risky 1K were reformed. They graduated from phishing prisons to the head of the class, and outperformed the rest of the company so significantly that the security team secured approval for an org-wide Hoxhunt roll-out that has since improved phishing simulation failure rates globally by 6X.

These results earned a prestigious CSO50 Award from Foundry.

The drop in failure rate was even more astonishing than these numbers indicate. Enrollment into the Hoxhunt training immediately improved the Risky 1K's reporting and failure rates with a structured onboarding process. Their baseline, pre-Hoxhunt failure rate was actually closer to 30-50%, meaning they experienced nearly a 10X improvement in simulated malicious click rate!

Combining AI with behavioral science and game mechanics, Hoxhunt helped Qualcomm finally reach employees who’d been deemed unreachable via traditional SAT tools’ dry, punishment-based curriculum.

Changing from an established model to a disruptive one is not without risk. Qualcomm had to work extensively with Hoxhunt to tailor the program to their technical and operational specifications. Once deployed, there was concern from leadership over:

1) Increasing their risk by going from a punishment-based program to a reward-based program, and

2) Employee backlash at the rise in security micro-trainings

Qualcomm received glowing feedback from employees, leadership, and their security functions. This program produced robust behavior change with high engagement from a typically disengaged user population, to the point that they became their model cyber citizens. With general rollout in Aug. 2023, org-wide engagement rates are off the charts and, as a result, simulated threat reporting rates have soared while click rates have plunged.

Security culture has been the big winner. Even with many more phishing simulations sent to employees, they have recorded more positive feedback and less negative feedback than with their pre-Hoxhunt 4 simulations/year cadence. Qualcomm are also expending fewer resources on security awareness and phishing training.

Likewise, the improvement in simulated threat reporting rate was actually more dramatic than the experimental data indicates. Threat reporting by the Risky 1K was negligible before the onboarding and enrollment into the Hoxhunt proof of concept trial.

"The CSO50 award recognized the power of a targeted security awareness program for unlocking a new level of excellence in our security culture, starting with our most vulnerable employees. In their 9-month-long enrollment with Hoxhunt, our riskiest user cohort went from having double the phishing failure rate of their colleagues to roughly half, a comparative 4X swing. These results helped us initiate a global rollout of Hoxhunt to all of our employees, who have since dropped their failure rates by a factor of 6." -- Kris Virtue, Global Head of Cybersecurity, Qualcomm

"It was a no brainer... You see the worst going to the best (in 2 months with Hoxhunt). It was easy to bring this out to our whole company. And those results have been pretty astounding to be honest with you." -- Rachel Shaw, Sr. Manager of Cybersecurity at Qualcomm, speaking at the CSO50 Awards in Arizona.

Cultural transformation

You are only as strong as your weakest link. By up-skilling the individuals most vulnerable to social engineering with personalized, dynamic phishing training, Qualcomm found success where other SAT tools had failed in turning their greatest human risk into a sizable security resource. Not only were these individuals less likely than their peers to click on a malicious link, but they were more likely to report threats, thereby defending the whole organization.

And these results occurred within 6 months of the global rollout.

A cyber behavior and cultural transformation followed the general rollout of Hoxhunt, as the cyber-challenged population showed everyone what was possible with an adaptive phishing training program.

"Qualcomm is mission-driven toward enabling a world where everyone and everything can be intelligently connected. We think our Worst-to-First initiative serves as an IT parable for securing that connectivity for unrivaled prosperity.
By correcting our riskiest employees’ security behavior, Hoxhunt helped us strengthen each link in the software supply chain against social engineering attacks, the top vector for data breaches. We’d encourage everyone to adopt the Hoxhunt adaptive phishing model. The results are self-evident. From employees to large enterprises, we can all do our share to keep our ecosystem safe and secure." -- Kris Virtue, CISO
Want to match these results?
Hoxhunt adaptive phishing training dramatically increases training engagement and security resilience.
Request a demo