Covers cybersecurity training programs, techniques, and best practices designed to equip employees and individuals with the skills to recognize and respond to cyber threats. Topics include security awareness curricula, simulation exercises, and measuring training effectiveness.
posts
The Breach That Started With a Single Click In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered an IT help desk employee with a phone call that lasted about ten minutes. The attacker didn't exploit a zero-day vulnerability. They didn&
In September 2022, a teenager allegedly convinced an Uber employee to hand over access credentials through a simple text message. No zero-day exploit. No sophisticated malware. Just a convincing story and a target who didn't verify the request. That single social engineering attack gave the threat actor access
The Phone Call That Cost MGM Resorts $100 Million In September 2023, a threat actor called MGM Resorts' IT help desk, impersonated an employee they found on LinkedIn, and convinced the technician to reset credentials. That single phone call triggered a ransomware attack that disrupted operations across Las Vegas
The Click That Cost One Company $47 Million In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a social engineering phone call that led to credential theft and a devastating ransomware attack. The estimated cost exceeded $100 million. The attack vector? A
Last year, a hospital administrator told me she ignored an alert about a credential stuffing attack because she didn't know what that phrase meant. Three days later, her organization was dealing with a ransomware incident that shut down patient scheduling for two weeks. The jargon gap in cybersecurity
93% of Breaches Start With a Person, Not a Firewall In 2023, Verizon's Data Breach Investigations Report confirmed what security professionals have been screaming about for years: the human element was involved in 74% of all breaches. By 2024, that figure remained stubbornly high. A cybersecurity awareness quiz
During the 2020 SolarWinds breach investigation, I watched a boardroom full of executives stare blankly when an incident responder mentioned "lateral movement" and "supply chain compromise." They had no idea what was happening to their own network — not because they were negligent, but because nobody had
In May 2021, Colonial Pipeline paid a $4.4 million ransom after a single compromised password shut down fuel delivery across the U.S. East Coast. The post-incident reporting was filled with jargon — ransomware, threat actor, credential theft, attack vector — that left most non-technical readers glazing over. Here's
In March 2021, Avast researchers disclosed that at least 28 browser extensions — used by roughly three million people — were quietly harvesting browsing data and redirecting users to phishing and ad-laden sites. Some of those extensions looked like simple ad-blocking tools. Others posed as social media helpers. Under the hood, they
In March 2021, security researchers discovered that Accellion's file transfer appliance had been exploited through — you guessed it — an SQL injection vulnerability. The Clop ransomware gang leveraged the flaw to steal data from dozens of organizations, including Shell, Bombardier, and multiple U.S. universities. This wasn't
