Headquarters: London | Providence, RI | Las Vegas, NV | Rome
Employees: 11,000 +, on six continents
Business: Slot machines and online gaming, gambling, and betting
“We are between a 4-to-6 percent failure rate now. When we started, we were in the 30 percent failure rate range. That speaks to the efficacy of the Hoxhunt program.” --Kevin DeLange, CISO, IGT
“With our old tool, compared to Hoxhunt, it’s not even close… I get all kinds of companies knocking on the door and they do not compete with you at Hoxhunt.” Tito Librado, Director of Global Information Security, GRC
International Game Technology (NYSE: IGT) needed to raise its cybersecurity awareness and resilience while lowering risk at the people layer. Phishing email attacks were their top concern. Spread across 100 countries on six continents, IGT sustains heavy email attack volume regularly against its 11,000+ employees (15 attacks per month, per employee).
These employees maintain the multi-billion-dollar business operations of online casinos, lotteries, scratch games, digital sports betting and more; IGT's crown jewels are highly attractive to cybercriminals. Kevin DeLange, CISO, sought a tool that would help raise and measure employee cybersecurity awareness, and help him communicate to executive management what IGT’s “true risk” of email attack breach actually is. Traditional punitive training models left much to be desired, from their pass/fail-driven “measured risk” to their damaging effect on cybersecurity culture.
Despised by employees and management, the prior punishment-based solutions left IGT and Kevin DeLange further unimpressed by the programs’ structure and content. Their overall impact on awareness and risk was unclear at best. Widespread disengagement made risk of a phishing breach too unknown. Overall, risk wasn’t going down.
The content was:
The results were:
Pass/fail metrics in this context weren’t useful. They often served as a vendor-influenced vanity metric. Few people were actually interacting with the phishing simulations and many others were just gaming the system, easily anticipating a test simulation by its predictable cadence and structure. These tests were designed to show improvement, not engage the workforce and build awareness.
Hoxhunt was tapped to refresh cybersecurity awareness training and culture. The large and globally distributed workforce demanded an automated solution that could provide maximum impact with minimal touch: it had to be as plug-n-play as possible. The goals were:
Kevin wanted a program that would continuously, and unpredictably, challenge employees with relevant simulated attacks in a way they actually liked and would thus use. Measuring actual engagement and improvement was the key, not passing a poorly constructed test. IGT selected Hoxhunt because its content and gamified program design offered what the prior solutions did not:
At IGT, the CISO reports yearly to the board; twice if there’s an audit committee report. Beyond that, the CISO has large exposure to executive management. Kevin said he is expected to report business-relevant information security trends, not statistics. As a broader indication of risk, IGT measures employee cybersecurity awareness by their Hoxhunt engagement metrics, such as how many complete training simulations and how many are clicking the Hoxhunt report button on suspicious emails. IGT also measures the number of people who negatively react to a phishing email. To encourage active engagement, DeLange stuctures reporting country-by-country, which he has seen fosters positive competition, which in turn motivates cybersecurity awareness.
“When you have lottery jackpots that can exceed the GDP of some countries, it would be naïve to think that attackers wouldn’t view that as something worth time and effort going after.” -- Kevin DeLange, CISO
“Phishing is the largest attack vector. That’s not different for IGT as for any other company… The language context and other parts of an email message, and the associated risks with it, is getting more precise and it’s more difficult to distinguish. So you really need tools at the perimeter as a necessary first line of defense. But equally important to me is you need an effective phishing awareness program. You can’t ignore the human factor in this. You need to put employees in the proper mindset to reply to these things.” -- Kevin DeLange, CISO
“I always, for better or worse, fall back on the carrot and stick analogy. You want to make cybersecurity training as positive an interaction with the employee as you possibly can, but if an employee fails a test, the fact that Hoxhunt offers that immediate feedback and microtrainings, I think that is a relatively painless stick. I’ve seen and heard about companies that do far more drastic things if you fail tests, and I think ultimately that’s not going to instill a lot of cooperation and positivity in the employee base.” -- Kevin DeLange, CISO
“With the gamification aspect of Hoxhunt, especially with executive management, I have gotten really high marks and good feedback from them on the gamification, which I never would have predicted before.” -- Kevin DeLange, CISO
“Not everybody learns the same way. Some people are visual learners. Some people are textual learners. You can’t have a comprehensive training solution without factoring in different approaches to learning.” -- Kevin DeLange, CISO
“I’ve got nothing but positive things to say about Hoxhunt. I don’t get that feeling that it’s rote and standard and people are just going through the motions like with earlier solutions. I really think that we’ve hit a chord with people and the fact that they can track the gaming aspect of it, and they can see their numbers in relation to other people, that’s also been a good motivator. I guess in today’s world gamification is the way to go; its’ worked out well for us. I’m very happy with it.” -- Kevin DeLange, CISO