case study

IGT Hits Cybersecurity Awareness Training Jackpot With Hoxhunt

Client logo
About icon
About

Headquarters: London | Providence, RI | Las Vegas, NV | Rome

Employees: 11,000 +, on six continents

Business: Slot machines and online gaming, gambling, and betting

Challenge icon
Challenge
Traditional training tools weren't winning in terms of risk reduction, remediation, meaningful metrics; and lost big on employee engagement and culture.
solution icon
Solution
Focusing on engagement over training simulation pass/fail rates, IGT uncovered their true risk while ultimately lowering overall risk by challenging employees with gamified, customized learning paths.
Key takeaways:
Featured image

Hoxhunt cybersecurity awareness training results

“We are between a 4-to-6 percent failure rate now. When we started, we were in the 30 percent failure rate range. That speaks to the efficacy of the Hoxhunt program.” --Kevin DeLange, CISO, IGT

  • Engagement rate jumped dramatically, to over 56% and climbing
  • Onboarding rate (employees who’ve initiated training) several times higher than previous solution
  • Simulation fail-rate down 85% and progressively declining
  • Reduced risk of phishing attack breach
  • Seamless integration to email system
  • Data reports relevant to internal KPIs generated in format that can be directly communicated to company and board
  • Ongoing partnership with Customer Success: “You give us reports that we can use for our KPIs in our monthly meetings. Hoxhunt is about integrations to our business system and also bespoke services. The level of care from customer success is excellent.” -- Tito Librado, Director of Global Information Security, GRC
  • Superior quality of phishing simulations: “It’s almost like having a real attack. That’s the real differentiation.”  -- Tito Librado, Director of Global Information Security, GRC

“With our old tool, compared to Hoxhunt, it’s not even close… I get all kinds of companies knocking on the door and they do not compete with you at Hoxhunt.” Tito Librado, Director of Global Information Security, GRC

Background

International Game Technology (NYSE: IGT) needed to raise its cybersecurity awareness and resilience while lowering risk at the people layer. Phishing email attacks were their top concern. Spread across 100 countries on six continents, IGT sustains heavy email attack volume regularly against its 11,000+ employees (15 attacks per month, per employee).

These employees maintain the multi-billion-dollar business operations of online casinos, lotteries, scratch games, digital sports betting and more; IGT's crown jewels are highly attractive to cybercriminals. Kevin DeLange, CISO, sought a tool that would help raise and measure employee cybersecurity awareness, and help him communicate to executive management what IGT’s “true risk” of email attack breach actually is. Traditional punitive training models left much to be desired, from their pass/fail-driven “measured risk” to their damaging effect on cybersecurity culture.

Prior solutions had bad odds of success

Despised by employees and management, the prior punishment-based solutions left IGT and Kevin DeLange further unimpressed by the programs’ structure and content. Their overall impact on awareness and risk was unclear at best. Widespread disengagement made risk of a phishing breach too unknown. Overall, risk wasn’t going down.

The content was:

  • Dry and boring
  • Released too infrequently and at regular intervals
  • Easily anticipated
  • Not relevant to the user or to developments in the threat landscape
  • Cookie-cutter formatted for all people and all levels of difficulty
  • Punishment-based: Failing a test meant being punished with more training (or worse)

The results were:

  • Low training engagement
  • Low employee threat reporting, real and simulated
  • High level of unknown risk
  • Poor cybersecurity attitude and culture across the organization
  • Low awareness level
  • Empty metrics: Pass/fail of simulations gave low-impact metrics for infosec team internally, and for reporting to the board

Pass/fail metrics in this context weren’t useful. They often served as a vendor-influenced vanity metric. Few people were actually interacting with the phishing simulations and many others were just gaming the system, easily anticipating a test simulation by its predictable cadence and structure. These tests were designed to show improvement, not engage the workforce and build awareness.

Rolling the dice with Hoxhunt: a positive, personalized, engaging experience

Hoxhunt was tapped to refresh cybersecurity awareness training and culture. The large and globally distributed workforce demanded an automated solution that could provide maximum impact with minimal touch: it had to be as plug-n-play as possible. The goals were:

  1. Lowering click rate of malicious emails, simulated and real
  2. Raising the threat reporting rate
  3. Raising training engagement rate
  4. Raising overall cybersecurity awareness and culture
  5. Keeping engagement high with challenging and dynamic training content delivered in a format people liked
  6. Attain meaningful KPIs and metrics that could guide the information security team and that could be reported to the board

Kevin wanted a program that would continuously, and unpredictably, challenge employees with relevant simulated attacks in a way they actually liked and would thus use. Measuring actual engagement and improvement was the key, not passing a poorly constructed test. IGT selected Hoxhunt because its content and gamified program design offered what the prior solutions did not:

  • Customized learning paths
  • Reward-based awareness journey
  • Constantly-updated, dynamic content designed to adapt with the evolving threat landscape.
  • Scientifically-validated behavior change entrainment: The action of hitting the Hoxhunt threat report button helped motivate good email behavior while removing actual threats from the system.

Winning metrics that boost awareness and culture

At IGT, the CISO reports yearly to the board; twice if there’s an audit committee report. Beyond that, the CISO has large exposure to executive management. Kevin said he is expected to report business-relevant information security trends, not statistics. As a broader indication of risk, IGT measures employee cybersecurity awareness by their Hoxhunt engagement metrics, such as how many complete training simulations and how many are clicking the Hoxhunt report button on suspicious emails. IGT also measures the number of people who negatively react to a phishing email. To encourage active engagement, DeLange stuctures reporting country-by-country, which he has seen fosters positive competition, which in turn motivates cybersecurity awareness.

Jackpot! Results:

  • Failure late dropped from 30% to between 4-6%
  • Engagement rate skyrocketed to over 56%-and-climbing
  • Widely embraced by management and employees
  • Awareness level significantly elevated – cybersecurity became a water cooler topic
  • Unknown risk is minimized
  • Overall resilience is greater
  • Hoxhunt-generated KPIs are communicated to CIO, employees, and board to show progress on things like: What team/country is number 1? | What is click rate? | Fail rate? | Simulation rate? | Engagement rate?
  • Seamless integration to the email system

Key takeaways with Kevin DeLange, CISO of IGT


Threat landscape

“When you have lottery jackpots that can exceed the GDP of some countries, it would be naïve to think that attackers wouldn’t view that as something worth time and effort going after.” -- Kevin DeLange, CISO

Why is phishing awareness training necessary?

“Phishing is the largest attack vector. That’s not different for IGT as for any other company… The language context and other parts of an email message, and the associated risks with it, is getting more precise and it’s more difficult to distinguish. So you really need tools at the perimeter as a necessary first line of defense. But equally important to me is you need an effective phishing awareness program. You can’t ignore the human factor in this. You need to put employees in the proper mindset to reply to these things.” -- Kevin DeLange, CISO

Positive vs. punitive cybersecurity awareness training: Carrots for sticks

“I always, for better or worse, fall back on the carrot and stick analogy. You want to make cybersecurity training as positive an interaction with the employee as you possibly can, but if an employee fails a test, the fact that Hoxhunt offers that immediate feedback and microtrainings, I think that is a relatively painless stick. I’ve seen and heard about companies that do far more drastic things if you fail tests, and I think ultimately that’s not going to instill a lot of cooperation and positivity in the employee base.” -- Kevin DeLange, CISO

Gamified training content

“With the gamification aspect of Hoxhunt, especially with executive management, I have gotten really high marks and good feedback from them on the gamification, which I never would have predicted before.” -- Kevin DeLange, CISO

Personalized training content

“Not everybody learns the same way. Some people are visual learners. Some people are textual learners. You can’t have a comprehensive training solution without factoring in different approaches to learning.” -- Kevin DeLange, CISO

Everybody wins

“I’ve got nothing but positive things to say about Hoxhunt. I don’t get that feeling that it’s rote and standard and people are just going through the motions like with earlier solutions. I really think that we’ve hit a chord with people and the fact that they can track the gaming aspect of it, and they can see their numbers in relation to other people, that’s also been a good motivator. I guess in today’s world gamification is the way to go; its’ worked out well for us. I’m very happy with it.” -- Kevin DeLange, CISO