How often do you do phishing campaigns?

6.8k views8 Upvotes20 Comments

Sort By:

Oldest

Head of Cyber Security in Manufacturinga year ago

Are we sure that phisingtests are not doing more harm then they solve? Business is bussy and those test dont reflect the reality of nowadays stellar phishs. I think better to invest in phishing resistant authentication so creds are not leaked, and SWG who filter bad urls/malware out

2 1 Reply

Strategic Banking IT advisor in Bankinga year ago

I do agree with you Raphael.

On a weekly basis, we do phishing campaigns. A very large group of employees will receive an appealing email from:
- HR Department
- An SVP
- A well recognized vendor (Microsoft for example)
- A delivery company

Then, it either contain a link or a file to be opened. The employee has to click on a 'fish icon' in Outlook to submit the email to the security team.

If the email was 'fake', you will receive congratulations. If the email was really suspicious, it will get inspected and the result is sent back the employee (email has been destroyed or no, it is legitimate).

If the email was 'fake', and the employee read it but hasn't click on the fish icon, it counts as a bad usage of emails. Monthly, managers get reports with stats.

End of story, too many fake emails are received from the organization. Employees either got lazy of this and no longer follow the guidelines or the declare too many emails as potential risks because sometime it's very hard to tell.

Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotecha year ago

It's ongoing all the time but people get categorized. Meaning everyone gets at least one a month but not on the same day and time as last month. Those who didn't do well get tested again and after the third oops then it's lunch and learn time. That is one framework that allows you to progressively help people to see more advanced attacks. Too many companies test the same scenario each time e.g. FedEx, UPS.

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

Peer Discussions and Polls
One-Minute Insights
Connect with like-minded individuals

Senior VP & CISOa year ago

monthly - entire workforce

1 Reply

Senior VP & CISOa year ago

we also do targeted training.

CISO in Insurance (except health)a year ago

Monthly for all employees and then supplemental for those who have engaged with phishing test emails. Further, specific high risk roles in the organization are tested with ad hoc relevant testing. based on the role.

Chief Evangelist in IT Servicesa year ago

There is a difference between phishing simulation and awareness campaigns around new phishing campaigns and techniques. I'm assuming the question is about phishing simulations. I would recommend starting with an understanding of any customer, regulatory or cyberinsurance mandates on frequency of these tests. Unfortunately requirements around phishing simulation have become so pervasive that the frequency might be dictated to you, rather than being able to assess the value of your organization and to your business case for better protection.

Content you might like

We are using MDM and MAM with Intune to protect our Office 365 data on employee mobile devices. We also have end-users who are contractors and have existing MDM/MAM controls on their device from their primary employer. They cannot add our corporate INTUNE controls to the same device according to the Microsoft error messages. The same issue applies to NEDs who work for multiple corporates. Has anyone else found a solution for this?

Management Tools Security & GRC Strategy & Architecture+1 more

Director of Information Security9 days ago

We haven't found a "good" solution short of issuing a separate managed device; the user has to choose whose policies to apply to their device. On Android you can technically create separate user profiles to get around this ...read more

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

Security & GRC Network Threat & Vulnerability Management+2 more

No Increase16%

1-5% increase47%

6-25% increase24%

26-50% increase6%

51-75% increase1%

76%+1%

Other2%

View Results

1.7k views1 Upvote

When staffing cybersecurity roles, have you had success with hiring candidates who lack technical experience? If so, what made that strategy effective?

Talent Sourcing & Hiring Security & GRC Security Strategy & Roadmap

CISO in Energy and Utilities9 days ago

Mentorship is crucial, especially when leading a relatively new team. I've intentionally built a team where nearly 80% are under 35. I sought out young, hungry, and energetic individuals who bring fresh perspectives and a ...read more

170 views1 Upvote1 Comment

How do you see the CISOs role in building trust across the business?

Security & GRC Security Strategy & Roadmap Business Relationships

CISO13 days ago

CISOs play a crucial role in organizations, as data and information protection falls under their responsibility. Building trust across the organization is essential for maintaining a strong cybersecurity posture.

Collaboration ...read more

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & Collaboration Security & GRC Device Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results

2.4k views2 Upvotes