Most organisation have either regulatory / industry requirement to do penetration testing on annual basis or when significant change happen to their environment. Whilst this is consider a good practise, the coverage of the test usual include the technology infrastructure both externally and internally. The question remaining how many organisation test their own people?
In today world of beefy technological security solutions, penetrating the external perimeter (for traditional model) is very hard comparing to the previous years. This also apply the same to the cloud services. As the results, the attackers, have focused their attacks on people, who as you may know present the weakest link in the security chain such attacks including spear phishing etc.
Business understand this but regardless they have not invest in protecting people with security controls such as security awareness training , and targeted security training per job role e.g. CEO specific training, Bank Teller specific trainings. Failure to do so open doors for attackers.
So next time you do penetration test, ensure you include the people testing, and this can be social engineering test by specialised organisations. while these tests can be done once a year, the organisations are encourage to have internal tests done at least quarterly to keep human at very defensive mindset to understand that security attacks can happen anytime and they are the one targeted the most.