Quarterly interactive testing is the only thing I have seen work. A common method is using Proofpoint + Fake realistic looking sites and emails. Get stats on how many click the links and how many put in corporate credentials. Proofpoint can do this or a company could make their own tracking stats.
Without embarrassing or punishing them ensure the ones that put in credentials get trained. The credentials should automatically sign them up for interactive mandatory online courses so they are not being embarrassed in a classroom. Reward the teams that don't get phished. Reward the managers, sr. managers, directors and sr. directors who's teams and orgs do not get phished. The higher level of management organization that is free of phishing victims, the higher the rewards. Incentivize the leadership to discourage warning others in company chat that a phishing test campaign is in progress. I'm sure the director of incident management at my last place is reading this. It's up to them if they want to share high level stats. I would not be allowed to disclose details but I do know this methodology absolutely works, at least in a place that has integrity and employee trust.
This of course only works for employees of a company because they have signed legal agreements that would permit the company to phish their own employees and have their own corporate attorneys that reviewed this process. Any other scenario should have a small army of lawyers review the plan.
I'm not sure if it's configuration-dependent, but the emails should be realistic and reflect the tools/services your org uses. Sending them Zoom-branded emails foe example while the org has never used Zoom is pretty pointless. The ones I've experienced unfortunately can be spotted from a mile away due to how low-effort they were (something an actual targeted attack will never do - a targeted attack email would look perfect with the exception of the factors they can't fake such as the "From" address).
> Without embarrassing or punishing them
At the end of the day, the objective is that they don't engage with suspicious e-mails - whether they do that out of concern for security or out of fear of embarrassment/losing their paycheck is irrelevant.
You want people to be afraid to fall for an attack. The fear should be about negative consequences to the organization and the general unpleasantness that comes out of it, but fear of embarrassment works too.
I’m partial to KnowBe4 for phishing training/stats/campaign suggestions, and secure authenticator onboarding (MFA) made mandatory for frequent failing users. That’ll mitigate credential loss, with EDR mitigating malware from clickers. Education and behavioral improvements primary with technical controls closing gaps.
For customer IAM, passkeys. Both hosted and open source idps support them.
You'll definitely encounter people talking about phishing your own users and enrolling people automatic training. I used to love this approach, but after years of trying it I am actually against it. More often, it serves to embarrass and annoy your users, and it teaches them to be overly paranoid. If you are a bank or something and your people are holding the keys to funds, then maybe that is good. But for everybody else, the cost/benefit analysis comes with a lot of cost (in the form of trust and morale) for that benefit.
The best way IMHO is to make a damn fun security awareness training. The best training I've done was basically doing running an "attack" against somebody and going through the whole process like an attacker would, but with the group as passengers and with explanations as I go. Seeing under the hood can be a lot of fun, and can be very enlightening.
Centralized management of those is near-non-existent though.
I'd recommend Yubikeys (or actual smartcards even, if hardware constraints allow) used in PIV mode with a client certificate authing to an internal SAML/OIDC provider which seamlessly bridges to third-party apps.
This is immune to phishing because there's literally nothing to phish, beyond maybe the PIN but it's pretty pointless as it would still require the Yubikey/smartcard to be of any use. When done well, it's also a great UX because nobody ever sees an actual login screen. Unlocked smartcard present = you are logged in everywhere.
There have been some interesting social engineering cases where AI generated coworkers (executives) are used in Zoom calls to approve the transfer of funds
We'd have to extend this with the concept of a multi-sig wallet to unlock processes or transactions
I meant for developers or business owners who are developing a web application. If there is any way for them to enable extra security for their application.
Without embarrassing or punishing them ensure the ones that put in credentials get trained. The credentials should automatically sign them up for interactive mandatory online courses so they are not being embarrassed in a classroom. Reward the teams that don't get phished. Reward the managers, sr. managers, directors and sr. directors who's teams and orgs do not get phished. The higher level of management organization that is free of phishing victims, the higher the rewards. Incentivize the leadership to discourage warning others in company chat that a phishing test campaign is in progress. I'm sure the director of incident management at my last place is reading this. It's up to them if they want to share high level stats. I would not be allowed to disclose details but I do know this methodology absolutely works, at least in a place that has integrity and employee trust.
This of course only works for employees of a company because they have signed legal agreements that would permit the company to phish their own employees and have their own corporate attorneys that reviewed this process. Any other scenario should have a small army of lawyers review the plan.