Qualcomm Inc (Qualcomm) is a leader in developing and delivering innovative digital wireless communications products and services based on CDMA and other advanced technologies. Today, Qualcomm has 170 offices in more than 30 countries.
Employees: 50,000+
Industry: Telecom
Headquarters: San Diego, California
Recognizing that 4% of users are responsible for 80% of phishing incidents, Qualcomm wanted to reform their riskiest employees with targeted, gamified security awareness training.
Qualcomm’s CSO50 Award-winning "Worst-to-First Employee Phishing Performance" initiative transformed their 1,000 highest-risk employees into model cyber citizens via enrollment into Hoxhunt. Their success led to an org-wide rollout to 48,000 employees, measurably reducing human risk by orders of magnitude.
Hoxhunt helped us strengthen each link in the software supply chain against social engineering attacks... We’d encourage everyone to adopt the Hoxhunt adaptive phishing model. The results are self-evident. From employees to large enterprises, we can all do our share to keep our ecosystem safe and secure." -- Kris Virtue, CISO
Research has shown that 4/5 of cyber events are caused by just 4% of employees. Qualcomm knew that if they could find and reach that subset of repeat offenders with targeted security awareness training--and build cyber habits that correct their risky behaviors--then they could transform their risk posture.
Qualcomm enrolled their riskiest 1,000 employees into Hoxhunt training for an experimental trial. The Risky 1K's results would be compared against the rest of the company's in periodic benchmark phishing tests.
Data security is a differentiating business factor in their B2C and B2B business lines. Breaches can inconvenience and imperil customers while impacting long-term business costs associated with e.g. remediation, brand damage, share price, regulatory and legal fees, and customer retention and acquisition.
Human cyber-risk is growing by the day in the age of blackhat AI as more and more phishing attacks of increasing sophistication are bypassing filters more frequently. Qualcomm wanted to bolster their human firewall at its weakest points with targeted security awareness and phishing training. They sought to measure and manage their riskiest employees without compromising business operations or negatively impacting culture.
1,000 employees were selected from the ~ 50,000 population to participate with Hoxhunt training. Selected employees were considered at the highest risk for falling victim to social engineering as they had failed 3 or more of the previous 6 phishing exercises and worked in roles that were frequently targeted with phishing attacks, such as accounts payable, sales/marketing, or executive support.
Within months, the Risky 1K were reformed. They graduated from phishing prisons to the head of the class, and outperformed the rest of the company so significantly that the security team secured approval for an org-wide Hoxhunt roll-out that has since improved phishing simulation failure rates globally by 6X.
These results earned a prestigious CSO50 Award from Foundry.
Combining AI with behavioral science and game mechanics, Hoxhunt helped Qualcomm finally reach employees who’d been deemed unreachable via traditional SAT tools’ dry, punishment-based curriculum.
Changing from an established model to a disruptive one is not without risk. Qualcomm had to work extensively with Hoxhunt to tailor the program to their technical and operational specifications. Once deployed, there was concern from leadership over:
1) Increasing their risk by going from a punishment-based program to a reward-based program, and
2) Employee backlash at the rise in security micro-trainings
Qualcomm received glowing feedback from employees, leadership, and their security functions. This program produced robust behavior change with high engagement from a typically disengaged user population, to the point that they became their model cyber citizens. With general rollout in Aug. 2023, org-wide engagement rates are off the charts and, as a result, simulated threat reporting rates have soared while click rates have plunged.
Security culture has been the big winner. Even with many more phishing simulations sent to employees, they have recorded more positive feedback and less negative feedback than with their pre-Hoxhunt 4 simulations/year cadence. Qualcomm are also expending fewer resources on security awareness and phishing training.
"The CSO50 award recognized the power of a targeted security awareness program for unlocking a new level of excellence in our security culture, starting with our most vulnerable employees. In their 9-month-long enrollment with Hoxhunt, our riskiest user cohort went from having double the phishing failure rate of their colleagues to roughly half, a comparative 4X swing. These results helped us initiate a global rollout of Hoxhunt to all of our employees, who have since dropped their failure rates by a factor of 6." -- Kris Virtue, Global Head of Cybersecurity, Qualcomm
"It was a no brainer... You see the worst going to the best (in 2 months with Hoxhunt). It was easy to bring this out to our whole company. And those results have been pretty astounding to be honest with you." -- Rachel Shaw, Sr. Manager of Cybersecurity at Qualcomm, speaking at the CSO50 Awards in Arizona.
You are only as strong as your weakest link. By up-skilling the individuals most vulnerable to social engineering with personalized, dynamic phishing training, Qualcomm found success where other SAT tools had failed in turning their greatest human risk into a sizable security resource. Not only were these individuals less likely than their peers to click on a malicious link, but they were more likely to report threats, thereby defending the whole organization.
And these results occurred within 6 months of the global rollout.
"Qualcomm is mission-driven toward enabling a world where everyone and everything can be intelligently connected. We think our Worst-to-First initiative serves as an IT parable for securing that connectivity for unrivaled prosperity.
By correcting our riskiest employees’ security behavior, Hoxhunt helped us strengthen each link in the software supply chain against social engineering attacks, the top vector for data breaches. We’d encourage everyone to adopt the Hoxhunt adaptive phishing model. The results are self-evident. From employees to large enterprises, we can all do our share to keep our ecosystem safe and secure." -- Kris Virtue, CISO