Qualcomm wins CSO50 Award Recognition with phishing training for riskiest employees program

Congratulations to Kris Virtue, Rachel Shaw, and the world class cybersecurity team at Qualcomm for earning recognition from the prestigious 2024 CSO50 Awards for their transformative phishing training program.

Post hero image

Table of contents

Award-winning phishing training

Qualcomm’s "Worst-to-First Employee Phishing Performance" initiative transformed their 1,000 highest-risk employees into model cyber citizens via enrollment into the Hoxhunt adaptive phishing training program. The transformative results of their program led to an org-wide rollout of the Hoxhunt Human Risk Management Platform to 48,000 employees, measurably reducing Qualcomm's human risk by orders of magnitude. This is one of the most inspirational tales of human risk reduction ever told. You can patch human behavior!

Why focus phishing training on the riskiest employees?

The 2024 Verizon DBIR reports that 68% of breaches contain the human element. And the Comcast Business Cybersecurity Threat Report found that 80-95% of all attacks begin with a phish. But most security incidents are caused by a subset of “repeat offenders” who are especially prone to clicking on phishing links.

According to a 2021 Cyentia Institute report:

  • 4% of users are responsible for 80% of phishing incidents, some clicking as often as twice a month.
  • 3% of users are responsible for 92% of malware events
  • 1% of users will average an incident every other week.

Qualcomm is a large enterprise under constant cyberattack. Data security is a differentiating business factor in their B2C and B2B business lines. Interruptions to operations can be deeply problematic for customers, and breaches can heavily impact the short-term bottom line and longer-term costs associated with brand damage, share price, regulatory and legal fees, and customer retention and acquisition.

As the human layer is the largest and most vulnerable attack surface, Qualcomm sought to identify, measure, and manage their riskiest employees without compromising business operations or negatively impacting culture.

Turning their riskiest employees into top performers, Qualcomm secured an org-wide security culture transformation that has helped measurably reduce risk and drive business growth as a trusted partner in a hyper-connected landscape.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]Qualcomm is mission-driven toward enabling a world where everyone and everything can be intelligently connected. We think our Worst-to-First initiative serves as an IT parable for securing that connectivity for unrivaled propserity. By correcting our riskiest employees’s security behavior, we strengthen each link in the software supply chain against social engineering attacks, the top vector for data breaches. We’d encourage everyone to adopt the Hoxhunt adaptive phishing model. The results are self-evident. From employees to large enterprises, we can all do our share to keep our ecosystem safe and secure.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Rachel Shaw, Sr Manager Cybersecurity, Qualcomm[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

How did Qualcomm reform their worst repeat offenders?

The Hoxhunt Human Risk Management Platform contains technological and operational capabilities superior to Qualcomm’s previous Security Awareness Training (SAT) tools, which had satisfied compliance needs but underperformed on training engagement, behavior change, human risk visibility, and measurable reduction of risk.

Even so, change management is not without its challenges and Qualcomm overcame several.

  1. Stakeholder buy-in

Problem: Any extra costs and perceived time spent on security training needed to be justified with evidence that the program was delivering measurable, meaningful results.

Solution: Program transparency and the reporting of meaningful metrics on human risk—engagement, simulated clicks, and threat reports—revealed unprecedented security behavior change, which persuaded leadership that this program was worthy of investment.

  1. Technical integrations

Problem: Replacing their existing SAT tool and its associated manual operations required multiple technical integrations. Traditional SAT tools can be manually integrated into a digital environment, but they are also highly manual to operate, from creating a phishing simulation and sending it to 50,000 employees, on to analyzing the results.

Solution: Qualcomm and Hoxhunt worked together to customize a solution to Qualcomm’s technical needs. We also co-created phishing benchmark tests that would compare the Hoxhunt population’s performance against the general workforce.

The adaptive phishing training platform automates the distribution and analysis of dozens of personalized simulations per year, but their domains must be approve-listed and the Hoxhunt threat reporting button must be integrated into the email client, amongst other technical details.

 3. Resources and operations

Problem: Rolling out and managing a new SAT program is typically a big lift on security awareness teams. Sending out quarterly phishing simulations was already daunting; sending out dozens per year appeared extremely challenging.

Solution: Hoxhunt has a managed service component overseen by a dedicated Customer Success team who helped get the program rolled out and put on track effectively and efficiently. Once the program was implemented, the system’s AI-powered automation actually reduced the workload of the security awareness team, from automatically customizing and sending phishing simulations to analyzing their results.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]This CSO50 award recognition is a testament to how our world-class security team and our visionary leadership have unlocked a new level of excellence in our security culture, starting with our most vulnerable employees. In their 9-month-long enrollment with Hoxhunt, our riskiest user cohort went from having double the phishing failure rate of their colleagues to roughly half. These results helped us initiate a global rollout of Hoxhunt to all of our employees, who have since dropped their failure rates by a factor of 4.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Kris Virtue, Global Head of Cybersecurity, Qualcommm[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

Worst-to-First Results

According to Cyentia research, 4% of employees cause over 80% of security incidents. Qualcomm erased that imbalance by pinpointing their lowest-performing 1000 employees and lowering their phishing susceptibility by 3.5x during the 9-month trial, and eventually by 5x.

  • 1,000 employees were selected from the ~ 50,000 population to participate with Hoxhunt training.
  • Selected employees were considered at the highest risk for falling victim to social engineering as they had failed 3 or more of the previous 6 phishing exercises and worked in roles that were frequently targeted with phishing attacks, such as accounts payable, sales/marketing, or executive support.  
  • Prior to enrolling the selected employees into the Hoxhunt training, Qualcomm conducted a global phishing exercise as a benchmark. The click rate of the identified Hoxhunt subset was substantially higher (20.5%) than the rest of the employee population (12.8%).
  • Additionally, report rates from Hoxhunt selected employees were significantly lower (33.4%) than the rest of the company’s population (45.1%).  These results verified that the Hoxhunt selected employees were at higher risk for falling victim to phishing attacks than the general employee population.
  • 2 months after starting training,  another global phishing test was conducted. The Hoxhunt subset showed significant behavior change.
  • Click rates of the Hoxhunt enrolled users (8.6%) were lower than those of the general population (11.5%). Meanwhile, threat reports from Hoxhunt users were greater (41.4%) than the rest of the population (29.2%).
  • Each subsequent test showed similar results, with the Hoxhunt enrolled employees performing better as a group than the general population. Within 9 months, the Hoxhunt-enrolled employees went from lowest-to-top performers.
Hoxhunt improvement: Risky 1000 failure rate dropped by 2.5x after 4 months, and it fell to 6.1% after 9 months for a 3.5x drop. The Hoxhunt-trained group's failure rate fell to half that of the general SAT-trained population.

The Hoxhunt-trained Risky 1000 nearly doubled their own threat reporting over four months, and had nearly double the reporting rate of the general SAT-trained population. Threat reporting is a critical behavior for measuring and managing human risk.

General rollout

In Aug./Sept. 2023, Qualcomm rolled the program out to the entire roughly 50,000 global workforce. Over the next 6 months to March 2024, the global improvement has been stellar:

  • 77% onboarded and actively participating (35,823 employees)
  • 59.7% Reporting rate, up from 29.2% (amazing, for a company this size)
  • 3.3% Fail, down from 12.8%: 4X improvement

Risk-associated cost of phishing reduction: $1.4M - $7.4M+

The IBM Cost of a Data Breach report says phishing breaches are the costliest of 11 initial attack vectors, at $4.76 million on average, but those costs are reduced by $1.4 million with high levels of employee security training. According to 2021 Ponemon estimates, total phishing costs ($14.8M) can be cut in half with good training, for a $7.4M+ savings.

Reducing risk and building culture

Combining AI with behavioral science and game mechanics, Qualcomm were finally able to reach employees who’d been deemed unreachable via traditional SAT tools’ dry, punishment-based curriculum.

Changing from an established model to a disruptive one is not without challenges. Qualcomm had to work extensively with Hoxhunt to tailor the program to their technical and operational specifications.

Qualcomm received glowing feedback from employees, leadership, and their security functions. This program produced robust behavior change with high engagement from a typically disengaged user population, to the point that they became their model cyber citizens. With general rollout in Aug. 2023, org-wide engagement rates are off the charts and, as a result, simulated threat reporting rates have soared while click rates have plunged.

Security culture has been the big winner. Even with many more phishing simulations sent to employees, they have recorded more positive feedback and less negative feedback than with their pre-Hoxhunt 4 simulations/year cadence. Qualcomm are also expending fewer resources on security awareness and phishing training.


About the CSO50 and CSO Hall of Fame Award Winners

The CSO50 award recognizes 50 organizations for security projects and initiatives demonstrating outstanding business value and thought leadership. The CSO Hall of Fame honors leaders who have significantly contributed to advancing information risk management and security. Inductees exemplify the qualities of leadership and excellence and, by their example, contribute to improving security across all organizations. Award winners are honored at the CSO50 Conference + Awards in October, 2024.

Hoxhunt CSO50 winning tradition

Previously, working with Hoxhunt, AES earned CSO50 recognition by using Hoxhunt for their gamified security awareness training program, achieving 6X threat reporting and engagement. And in 2021, DocuSign won for their security awareness and phishing program overhaul with Hoxhunt as well.

Get more cybersecurity insights like this