Global Chief Cybersecurity Strategist & CISO in Healthcare and Biotech, Self-employed
It's ongoing all the time but people get categorized. Meaning everyone gets at least one a month but not on the same day and time as last month. Those who didn't do well get tested again and after the third oops then it's lunch and learn time. That is one framework that allows you to progressively help people to see more advanced attacks. Too many companies test the same scenario each time e.g. FedEx, UPS.Senior VP & CISO, 1,001 - 5,000 employees
monthly - entire workforceSenior VP & CISO, 1,001 - 5,000 employees
we also do targeted training.
CISO in Insurance (except health), 5,001 - 10,000 employees
Monthly for all employees and then supplemental for those who have engaged with phishing test emails. Further, specific high risk roles in the organization are tested with ad hoc relevant testing. based on the role. Chief Evangelist | Former Gartner Analyst | Former CISO in IT Services, 11 - 50 employees
There is a difference between phishing simulation and awareness campaigns around new phishing campaigns and techniques. I'm assuming the question is about phishing simulations. I would recommend starting with an understanding of any customer, regulatory or cyberinsurance mandates on frequency of these tests. Unfortunately requirements around phishing simulation have become so pervasive that the frequency might be dictated to you, rather than being able to assess the value of your organization and to your business case for better protection. Principle Consultant in IT Services, Self-employed
Monthly.Director of Cybersecurity Data and App Protection in Healthcare and Biotech, 10,001+ employees
Monthly tests for all. Periodically target more high-value groups with more challenging tests. CISO in Software, 10,001+ employees
They should always be conducted annually. However, it is best to not target all orgs, LoBs, etc. at the same time. It should be conducted and spread throughout the year., Self-employed
Quarterly - entire workforceSenior VP & CISO, 1,001 - 5,000 employees
entire workforce monthly Content you might like
Cybersecurity45%
Cyber Security39%
Cyber-security5%
Information Security8%
508 PARTICIPANTS
Yes, we’ve recently implemented one11%
Yes, we already had one61%
No, but it’s covered in another policy12%
Not sure4%
No, but we are planning to8%
No plans3%
98 PARTICIPANTS
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
I do agree with you Raphael.
On a weekly basis, we do phishing campaigns. A very large group of employees will receive an appealing email from:
- HR Department
- An SVP
- A well recognized vendor (Microsoft for example)
- A delivery company
Then, it either contain a link or a file to be opened. The employee has to click on a 'fish icon' in Outlook to submit the email to the security team.
If the email was 'fake', you will receive congratulations. If the email was really suspicious, it will get inspected and the result is sent back the employee (email has been destroyed or no, it is legitimate).
If the email was 'fake', and the employee read it but hasn't click on the fish icon, it counts as a bad usage of emails. Monthly, managers get reports with stats.
End of story, too many fake emails are received from the organization. Employees either got lazy of this and no longer follow the guidelines or the declare too many emails as potential risks because sometime it's very hard to tell.