Articles on building and sustaining a cybersecurity culture where secure behavior becomes second nature across every level of an organization. Topics include leadership engagement, employee mindset shifts, and integrating security values into daily operations.
posts
October Comes and Goes — Breaches Don't Every October, organizations dust off the same tired PowerPoint decks, send a few reminder emails about password hygiene, and pat themselves on the back for "participating" in Cybersecurity Awareness Month. Then November arrives, an employee clicks a credential-harvesting link, and
A Poster on the Breakroom Wall Never Stopped a Breach In 2023, MGM Resorts lost an estimated $100 million after a threat actor called the help desk, impersonated an employee found on LinkedIn, and talked their way into the network. No zero-day exploit. No nation-state malware. Just a phone call.
In May 2024, a single employee at a major healthcare provider clicked a phishing link disguised as a routine benefits update. Within 72 hours, the organization lost access to 14 million patient records and ended up paying a multimillion-dollar ransom. The employee had technically "passed" their annual compliance
The Breach That Started With a Single Slack Message In September 2022, a threat actor convinced a Uber contractor to approve a multi-factor authentication push notification. That single moment of human failure gave the attacker access to Uber's internal systems, including their Slack workspace, vulnerability reports, and financial
In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered their way past the help desk with a single phone call. The attacker didn't exploit a zero-day vulnerability. They didn't write custom malware. They called an employee, pretended to
In January 2024, a finance employee at a multinational firm in Hong Kong transferred $25 million to threat actors after a deepfake video call convinced him his CFO had authorized the payment. No malware. No zero-day exploit. Just a well-trained employee who wasn't trained well enough. That incident
A Single Employee Click Cost MGM Resorts $100 Million In September 2023, MGM Resorts International disclosed a devastating cyberattack that disrupted hotel operations, slot machines, and reservation systems across Las Vegas. The attack vector? A social engineering phone call. A threat actor impersonated an employee, called the IT help desk,
In January 2023, T-Mobile disclosed that a threat actor had stolen data on roughly 37 million customer accounts by exploiting a single API vulnerability. But here's what most people missed in the headlines — the breach went undetected for over a month. That's not just a technology
Last October, while organizations across the country were hanging "Think Before You Click" posters in their break rooms, the FBI's Internet Crime Complaint Center was logging over 847,000 complaints representing nearly $7 billion in losses for 2021. That's roughly a 7% increase in
The Breach That Started with a Single Employee In May 2021, a single compromised password shut down Colonial Pipeline and triggered fuel shortages across the Eastern United States. The credential was tied to a legacy VPN account that lacked multi-factor authentication. One employee. One password. $4.4 million in ransom
