Phishing test "do's and don'ts" - what are the most important DON'Ts in your opinion?

Security & GRCAwareness & TrainingRisk Management+1 more
1.1k views7 Comments
Sort By:
Oldest
Director Information Security in Healthcare and Biotech7 months ago
Don't ever consider any strategies that could be emotionally abusive. For example, sending flower notifications on Valentine's Day, fake bonus notifications, or similar situations. It won't net a positive user response and can lower the trust in your team, if not impact company morale.

Sure, there are threat actors who play on that, but there are better, more effective ways we can test and train users without employing such tactics and stay that trusted party to the staff which helps your program stay successful.
2
Senior Director, Global Information Security in Consumer Goods7 months ago
Building trust in your phishing exercise program is critical. Ensure your company culture is represented in your program.  Get feedback and alignment with key stakeholders like HR, Legal and corporate communications.  Employee privacy should be a non-negotiable.  Consider communications to your employee base explaining the phishing program and their privacy concerns.
Business Information Security Officer, Director in Banking6 months ago
Biggest opportunity these days is to take advantage of the opportunity for real-time training if someone fails the phishing test. Many phishing test providers provide the option, and there's no better way to cement the knowledge necessary to pass phishing tests than getting people in that moment just after "gotcha". No one likes that feeling, and its likely those same people understand their organization is trying to protect their customers and their business priorities.
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Senior Information Security Manager in Software6 months ago
Effective phishing programs should educate, not alienate.

GoDaddy did the latter. Don’t be like GoDaddy.

 

https://www.engadget.com/godaddy-sent-fake-phising-email-promising-holiday-bonus-220756457.html
CISO in Software6 months ago
Do not run it so often, employees know exactly what to look for. 

Content you might like

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services4 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes

How can CISOs influence (or perhaps even contribute to) the business’s AI adoption strategy?

Security Strategy & RoadmapSecurityDisruptive & Emerging Technologies+3 more
CISO in Manufacturinga month ago
CISOs have a unique opportunity to proactively shape their organization's AI adoption strategy, Because AI adoption is either in the process of emerging or companies that have already gone down a path are readjusting their ...read more
1
Read More Comments
701 views6 Comments

Are below the operating system vulnerabilities a top concern for your organization?

EngineeringGovernance, Risk & ComplianceSecurity & GRC+1 more

Yes79%

No20%

5k views3 Comments

Can you share advice for leaders looking to shift to a multi-cloud strategy for better resilience in the event of major disruption (such as the recent CrowdStrike outage)? What best practices or common pitfalls are most important to consider?

Security Strategy & RoadmapSecurityPeer Insights+2 more
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a month ago
1.       Ensure the “different” providers are not front ends for the same foundational provider.

2.       Review the track record of each provider on the whole as well as their record with organizations of your size, ...read more
1
Read More Comments
506 views3 Comments