Have you used any phishing training software that you’ve found to be effective?

Security & GRCTraining & Certification
180 viewscircle icon4 Comments
Sort by:
Director of IT in Software4 years ago

I had done training myself for the employees where I would show/analyze various fishing emails and will explain how to spot them and what to look for. To make it more interesting and fun and to keep employees focused on the training I took two VMs, installed remote access trojan, and played victim/attacker to show in real-time how can you take screenshots of remote PC, copy files, see what the victim is doing on the PC etc.  Recently we purchased SANS cybersecurity awareness training that was also effective. It consists of various short videos that are fun to watch.

VP - Head of Information Technology in Software4 years ago

I'm not convinced you can reliably patch the human brain, and I think that the training is an attempt to do that. What is good about the training is that you're covering their personal life and their work life a bit, because another nightmare I have is that a bad actor phishes someone's personal email, then their work laptop is compromised, and then the attacker uses that as a vector to get in, which we can't fix with the other stuff. I've always preferred to stop folks from getting the message in the first place, and that's my best strategy. Material Security, GreatHorn, etc., help me stop them from getting the message if I can. What I like about Material Security and GreatHorn is that even if you miss something and learn about it later, you can find out who got the message and whether they clicked on it after the fact, which is super helpful as well.

Lightbulb on2 circle icon2 Replies
no title4 years ago

We used Wombat and also had in-person training with the whole company, where all we talked about was phishing and how you get tricked. And then they all had to take the online training as well. When we sent out the phishing emails after that, 50% of the company clicked on them. We were like, “What is going on here?”

Lightbulb on2
no title4 years ago

C-level executives are supposed to take the awareness training every year, and of course, they never do it. Then we send them the fake phishing emails and they always fall for it. The company is accountable, and you should be personally accountable if you're the one that clicked on it after you've done all this training. And you should be accountable for what happened to the business.

Lightbulb on2

Content you might like

Our organization is subject to data retention requirements over very long periods (50 years or more). Do your organizations face similar constraints? If so, what long-term retention strategy have you implemented for these regulated data, and what technologies or solutions do you use to ensure their durability and compliance?

Read More Comments

Has your organization experienced more malware attacks and data being stolen this past year than in the year prior?

Yes, more attacks48%

No change48%

No, fewer attacks3%

View Results

Is your organization panning to implement a ransomware remediation plan in the next 12 months?

Yes39%

Likely47%

Not likely10%

No2%

View Results

How frequently does your org update its GenAI training programs for staff? Do you change the training offered to align with new developments in GenAI or new tool capabilities?

Read More Comments

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments