One of the things we do at Dragonfly that I recommend to all teams that manage crypto custody/multisigs: Randomized fault injection! Basically once every {N} days, somebody involved in our custody setup becomes designed the hacker. Their job is to get a "malicious" transaction past our custody processes (sending the money to a safe address we control). They are allowed to do anything to accomplish this. Lie, cheat, fabricate documents, impersonate other people. If they successfully get the assets past our custody process into the safe address, they get $500. If they are successfully defended against, the defenders split the money. Fear of being embarrassed by their peers has probably leveled up our team's situational awareness more than anything else we've done. Sharing this tip for others!