Knowledge is power: How Penn National Gaming combats phishing with Infosec IQ
- Client: Largest domestic casino and hotel operator in the U.S.
- Deployment size: 4,000 learner seats
- Capabilities used: PhishSim, AwareEd
- Results: Reduced employee phishing susceptibility rate from 20% to 2%
Penn National Gaming is the largest domestic casino and hotel operator in the U.S. With over 16,000 employees in multiple states and gaming jurisdictions, security threats like phishing and business email compromise are a top concern for the Penn National Gaming security team.
When Security Analyst Marc Puhala first joined the team in 2017, he was tasked with finding a security awareness and phishing simulation tool to teach employees how to detect and avoid email-based threats. Marc selected Infosec IQ™ as the organization’s awareness tool and has since reduced employee phishing susceptibility rates from 20% to 2%.
Marc attributes this success to his multi-layered approach to employee security awareness training. We met with Marc to learn how he’s used Infosec IQ alongside other communication initiatives to keep the organization’s infrastructure and data secure.
Assessing & managing security risk with simulations & education
Mitigating email-based security threats was the primary driver behind Penn National Gaming’s decision to implement an employee security awareness training program. “I was asked to look for a phishing simulator my first day on the job,” said Marc. “At Penn Gaming, it’s important that we are as prepared as possible for all the potential risks in our environment. We’re constantly assessing our security and needed a way to address email threats like phishing.”
After evaluating nearly 20 training platforms, Marc selected Infosec IQ as his tool of choice based on its ease of use and customization options. “Infosec IQ had exactly what we needed, while also providing us resources we can grow into,” said Marc. “The price was right, it was very user friendly and I could report on the data I needed to improve our program over time.”
Leveraging role-based training to drop phishing rates to just 2%
Marc has followed a role-based approach to security awareness training since first implementing Infosec IQ at Penn National Gaming. “When we first started, we sent phishing simulations about every other month,” said Marc. “This was to find out where our weakest points were and adjust the program as needed.”
Marc analyzes employee performance data after every simulation — looking for trends by department, office location and types of simulations used. “I’m using that data to build out our education campaigns. Employee training needs to be relevant to their role, or it won’t work,” said Marc. “We also tailor training to specific individuals in cases of ‘repeat offenders’ who may need remedial training.”
Marc now runs phishing simulations every month, and has since dropped employee phishing rates from 20% to just 2%. “The simulations are definitely working — they’ve gotten people talking,” said Marc. “Since starting these campaigns, we’ve noticed a huge increase in the amount of suspicious emails reported to the security department. People are definitely a lot more aware. The simulations taught them you can’t just open anything that’s sent to you.”
Layering training & communication to keep security top-of-mind
In addition to phishing simulations, Marc’s program includes in-person new hire training, security newsletters and monthly meetings with all managers — regardless of their location or department. “In the manager meetings, we share and discuss data from the simulations and other important security news,” said Marc. “It’s really helped focus everyone at Penn Gaming on security.”
Marc shares threat intel and security best practices with all employees in a monthly newsletter. “As we become aware of new threats out there or specific phishing campaigns targeting our organization, we will alert all employees through our newsletter,” said Marc. “This approach has definitely worked. The numbers within the last six months alone show that.”
Part of Marc’s success lies in his careful, scientific approach to training. “We always make sure we have a controlled test group in place before we send any training or simulations on a larger scale,” said Marc. “This way I can get immediate feedback and adjust the campaign as needed. We get very specific with how we build these campaigns and how the emails look, so it needs to deploy as expected.”
Making training real for lasting results
Marc continually adapts the phishing templates in his program to mimic actual threats facing the organization. Often modeled after the same threats shared in the monthly newsletters, these realistic simulations help him gauge lesson retention and overall awareness. “Last month, we sent out a tax-related phishing simulation to supplement our tax-season-themed newsletter,” said Marc. “It’s a way of testing to make sure critical security announcements are actually read, shared and understood.”
The same goes for Marc’s overall program. “The role of security here is constantly changing, constantly growing as we get new ideas and, of course, bring on new properties,” said Marc. “As our staff grows, we’ll continue to enroll new employees into the program to make sure security stays a priority for all our employees.”