How are you approaching phishing tests to make sure they really educate folks and aren't just about "tricking" employees?

Security & GRCAwareness & TrainingSecurity Strategy & Roadmap+1 more
1.2k views1 Upvote7 Comments
Sort By:
Oldest
CIO7 months ago
We've implemented a Phishing Testing Follow-up Program. The more phishing tests you fail (in one, 12-month rolling period), the more follow-up that occurs. After 1 fail the 'failer' received an education email, is assigned a training, and is on the 'leadership failer list'. After 2 fails, the manager is emailed and on the 'list' again. 3 fails gets you invited to in-person/virtual training with a SME, access is reviewed and removed if appropriate (ie. administrative rights). After 4, we evaluate if the person's role requires receiving external emails and, if not, remove the ability. Lastly after 5 fails, sanctions up to and including termination. 

Generally, we're finding that after 3 fails the behavior changes in a positive way. 
Principle Consultant in IT Services7 months ago
We have secondary training and re-phishes for people who fail the phishing campaign. We also report the percentage of failures and percentage of people reporting the phish during all hands meetings.
Senior Information Security Manager in Software7 months ago
They have to be done in a formal manner. Great new book with ideas on how to do that. By Roger Grimes, see: Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing.

 

https://amzn.to/43hTyKd
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Director of IT7 months ago
Red Team testing is a perfect way to test system and employees. Phishing, mystery guest on the floor trying to get into local network and find hardware and connectivity risks, and real testing based on credentials from phishing.
1
CISO in Software6 months ago
The most important element is to have targeted and specific training provided to an employee when they "fail" a phishing test.
1

Content you might like

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services4 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes

How can CISOs influence (or perhaps even contribute to) the business’s AI adoption strategy?

Security Strategy & RoadmapSecurityDisruptive & Emerging Technologies+3 more
CISO in Manufacturinga month ago
CISOs have a unique opportunity to proactively shape their organization's AI adoption strategy, Because AI adoption is either in the process of emerging or companies that have already gone down a path are readjusting their ...read more
1
Read More Comments
701 views6 Comments

Can you share advice for leaders looking to shift to a multi-cloud strategy for better resilience in the event of major disruption (such as the recent CrowdStrike outage)? What best practices or common pitfalls are most important to consider?

Security Strategy & RoadmapSecurityPeer Insights+2 more
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a month ago
1.       Ensure the “different” providers are not front ends for the same foundational provider.

2.       Review the track record of each provider on the whole as well as their record with organizations of your size, ...read more
1
Read More Comments
506 views3 Comments

Are below the operating system vulnerabilities a top concern for your organization?

EngineeringGovernance, Risk & ComplianceSecurity & GRC+1 more

Yes79%

No20%

5k views3 Comments