Covers cybersecurity training programs, techniques, and best practices designed to equip employees and individuals with the skills to recognize and respond to cyber threats. Topics include security awareness curricula, simulation exercises, and measuring training effectiveness.
posts
One Unapproved App Cost a Hospital Network $3 Million In 2023, a regional hospital system discovered that a department had been using an unapproved file-sharing tool to exchange patient records for over a year. The tool had no encryption, no access controls, and no audit trail. When an attacker exploited
When the Colonial Pipeline attack shut down fuel distribution across the U.S. East Coast in 2021, news anchors fumbled through terms like "ransomware," "threat actor," and "zero trust" as if reading a foreign language. Millions of viewers had no idea what any of
During a breach investigation last year, I watched a CFO stare blankly at an incident responder who kept saying "the threat actor used credential stuffing to pivot laterally after compromising an MFA-gapped endpoint." The CFO's response: "Can someone please speak English?" That moment cost
In 2023, a barcode scanner app on the Google Play Store — used by over 10 million people — pushed a malicious update that turned a legitimate tool into an aggressive adware delivery mechanism overnight. Users were flooded with pop-ups and redirected to shady websites. Within weeks, researchers discovered the same app
In 2023, the FBI dismantled a cybercrime ring that used a commercial keylogger called Snake Keylogger to steal credentials from over 10,000 victims across 50 countries. The malware recorded every keystroke — banking passwords, email logins, private messages — and quietly exfiltrated the data to attacker-controlled servers. The victims had no
Your Organization Needs a Phish Setlist — Not Just One Test In 2023, the FBI's IC3 received over 298,000 phishing complaints — making it the most reported cybercrime category for the fifth consecutive year. Yet most organizations I work with still run the same single phishing simulation once a
In 2023, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated form of fake mail — caused adjusted losses exceeding $2.9 billion. That single category of email fraud outpaced every other cybercrime type in financial damage. And those are just the cases that got
Your Inbox Is a Buffet — and Attackers Are Feeding In March 2024, MGM Resorts was still tallying the damage from a social engineering attack that started with a single phone call to their help desk. The cost? Over $100 million in losses. The attacker didn't exploit a zero-day
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 complaints about phishing — making it the most reported cybercrime for the fifth consecutive year. That number only accounts for what gets reported. The actual volume is staggering. So what is a phishing attack, and why does
The Question Everyone Asks After the Breach In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered its way past the help desk with a single phone call. The attackers didn't exploit some exotic zero-day vulnerability. They called IT, pretended to
