Educating users is fine; but not enough.
Having a good DNS server saves you a lot of grief (regarding phishing and malware) and advertisements consumption. However, while I am a big fan of having total control over your setup and using pi-hole, dealing with hardware and keeping the software updated is undoubtedly not for everyone.
Two excellent services with very little overhead pop to my mind and are easy to use. NextDNS and OpenDNS.
Built-in protection for malicious phishing and malware domains is very likely to work when your common sense fails.
Adblocker cleans up your web browsing and adware apps on your mobile devices.
Parental controls blocks porn, piracy sites, mature content in search engines results and social media sites.
All this with a beautiful dashboard where you can monitor all accesses and configure your household/company rules.
Prices range from FREE to €1.99 a month (€19.90 a year if paid annually) for individuals and families. Business and education customers have a €19.90 a month fee (€199 a year if paid annually).
Protection for malicious phishing and malware domains is from the owners of PhishTank.org (check it out, seriously, it is a terrific resource) is something everyone should have.
The FREE service block of adult content is also available; the dashboard is exclusive to the “Home VIP package” (€19,95 paid annually). There is also an “Umbrella PROsumer package” for €20 per user (annually) designed to protect devices on the go, with 1 to 5 users and three devices per user.
Enterprise licenses are available, but prices take an obscure form of magic to determine. Being a Cisco company, you probably know what to expect. However, if you are into Cisco products and many in the IT crowd love them, there is the option.
If these two were my only options, I would go with NextDNS for individuals, households, and enterprises. No hesitation or doubt in my mind.
If the skillset required is available, I would go with pi-hole installations in domestic and enterprise environments. The pi-hole setup allows you to ensure privacy over your internal DNS queries; you can use either or both of these services as forwarding servers and add your very own magic lists and DNS overriding on top.
Remember you can run pi-hole on big and robust boxes! You can read more about it here.
It is my firm belief that every enterprise should deploy DNS-level protection and control on their networks. Spending a fortune on training employees to deal with phishing is wise; not blocking access to know phishing sites (as they pop up) as close to real-time as possible is dumb.
It cost €199 a year (or whatever Cisco charges if you want them to provide the service).
So, what is the price tag if things go south really quickly with a phishing attack?
Will you have a job the day after?