Corporate practices are the primary form of cybersecurity training. I have seen too many corporations (including critical infrastructure corps) that force employees to login to foreign domains with corporate credentials. This includes email services, two factor authentication, team chat, LMS, dashboards, surveys, web meetings, code forges, ticket tracking, VPN, etc.
Corporations outsource almost every single tool used by their employees and train them to cough up their corporate credentials no matter what url the browser identifies. In essence, they phish their employees 100 times a day. Then they force employees to sit through training twice a year to identify phishing attacks. Every legitimate training will create cognitive dissonance with employees' every day work experiences.
Corporations outsource almost every single tool used by their employees and train them to cough up their corporate credentials no matter what url the browser identifies. In essence, they phish their employees 100 times a day. Then they force employees to sit through training twice a year to identify phishing attacks. Every legitimate training will create cognitive dissonance with employees' every day work experiences.