How often do you do phishing campaigns?

Security & GRC
6.8k viewscircle icon7 Upvotescircle icon20 Comments
Sort by:
CISO in Telecommunication2 years ago

We do it 10 times a year, not on fixed schedule, which means we can do it twice a month or none in a month. We want to make it unpredictable.

VP of IT in Services (non-Government)2 years ago

Quarterly but they are staggered and run more frequently for anyone who may need additional training

CISO in Healthcare and Biotech2 years ago

Quarterly phishing campaigns targeted at different business divisions are crucial to an organization's cybersecurity strategy. They educate employees about cyber threats and enhance their ability to identify and manage phishing risks via realistic simulations. Given the role of human error in successful phishing attacks, these proactive campaigns go beyond infrastructure safeguards to mitigate vulnerabilities. They offer tailored training to employees based on their roles and potential threats. I like to increase my company's "Cyber-Paranoia" Level. :-)

CIO2 years ago

Monthly - All users

Lightbulb on1
Senior Director Engineering in Travel and Hospitality2 years ago

Depends on the risk score we get from external agencies

1 Reply
no title2 years ago

Interesting tangent Arun, thanks. but could  you please elaborate? Most of the external scoring would focus on infra layer and thus maybe externally exposed lookalike domains, smtp/relay configurations. Other than those typr of angles, are you using any service to risk score people?

Content you might like

How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

What is your preference when choosing a DDoS mitigation service?

Always-on service32%

On-demand service – traffic is scrubbed only when an attack is detected and mitigated66%

One time use – service is activated upon request1%

View Results

Do you agree that all VPNs should come with a kill switch?

Strongly Agree16%

Agree61%

Neither agree nor disagree17%

Disagree4%

Strongly Disagree

View Results

Our organization is subject to data retention requirements over very long periods (50 years or more). Do your organizations face similar constraints? If so, what long-term retention strategy have you implemented for these regulated data, and what technologies or solutions do you use to ensure their durability and compliance?

CISO here at a large enterprise—between NIS2, DORA, the Cyber Resilience Act, and growing internal pressure around shadow AI and ransomware response, it feels like we’re constantly balancing compliance overhead with real operational risk. What’s the one thing you’re losing the most sleep over in 2025?