Resources focused on building a security-conscious workforce through training, awareness campaigns, and policy enforcement. Topics include phishing simulations, security onboarding programs, acceptable use policies, and techniques for fostering lasting behavioral change among employees.
posts
The Receptionist Who Stopped a $3 Million Wire Fraud In 2023, a business email compromise attack targeted a mid-size manufacturing company in Ohio. The threat actor had spoofed the CEO's email perfectly. The wire transfer request looked legitimate. But a receptionist — someone with zero technical background — noticed the
In March 2021, a mid-size law firm in Atlanta lost $2.3 million to a single wire fraud attack. The attacker spoofed the managing partner's email, requested an urgent transfer, and a paralegal complied without hesitation. When the firm investigated, they discovered their annual security awareness program consisted
One Click Cost Colonial Pipeline $4.4 Million In May 2021, a single compromised credential shut down the largest fuel pipeline in the United States. Colonial Pipeline paid a $4.4 million ransom to a threat actor group called DarkSide. The entry point wasn't some exotic zero-day exploit.
The Receptionist Who Handed Over the Keys to the Kingdom In 2020, a Twitter employee received a phone call from someone claiming to be from the company's IT department. That single social engineering call — combined with a handful of others — led to the compromise of 130 high-profile accounts,
89% of Employees Think They'd Spot a Phish. The Data Says Otherwise. I ran a phishing simulation for a mid-size law firm last year. Before the test, we surveyed staff — 89% said they were confident they could identify a phishing email. Then we sent three simulated phishes over
Most Security Quizzes Are a Waste of Everyone's Time I recently reviewed the cybersecurity training program at a mid-size financial services firm that had been breached through a credential theft phishing email. They had a training program. They had quizzes. Every employee passed with flying colors — 95% average
The Accountant Who Cost Her Company $2.3 Million She wasn't careless. She wasn't stupid. She was a 15-year veteran of her firm's finance department, and she followed what she thought was a legitimate email from the CEO asking for an urgent wire transfer.
The Threat Already Inside Your Building In 2022, a former employee at Cash App's parent company, Block, downloaded reports containing the personal information of 8.2 million customers — months after leaving the company. Block disclosed the breach in an SEC filing, and lawsuits followed. The attacker didn'
One Employee Stole Data for Profit. The Other Just Clicked the Wrong Link. In 2022, a former employee of a major healthcare organization was sentenced to federal prison for stealing patient records and selling them. That same year, the Verizon Data Breach Investigations Report found that 82% of breaches involved
A 45-Minute Training Video Nobody Watched In 2023, a mid-size healthcare company I consulted for spent $60,000 on a compliance-focused security awareness program. It featured a 45-minute narrated slideshow, a 10-question quiz, and a certificate of completion. Their post-training phishing simulation results? A 31% click rate — virtually unchanged from
