Access guidance on designing and implementing employee security training programs that reduce human risk. Topics include security onboarding, ongoing awareness campaigns, compliance requirements, and measuring training effectiveness across your organization.
posts
October Ends. The Phishing Emails Don't. Every October, organizations plaster break rooms with cybersecurity posters, blast out a few reminder emails, and call it a win. Then November rolls around, and the same employees click the same malicious links. I've watched this cycle repeat for over
MGM Resorts lost an estimated $100 million in September 2023 because a threat actor called an IT help desk, impersonated an employee, and talked their way into a privileged account. No zero-day exploit. No nation-state malware. Just a phone call and a human who hadn't been trained to
In January 2024, Microsoft disclosed that the Russian threat actor group Midnight Blizzard had breached corporate email accounts — not through some exotic zero-day exploit, but through a password spray attack on a legacy test account that lacked multi-factor authentication. One of the most well-resourced technology companies on the planet got
The FTC Settlement That Should Make You Rethink Your Training Program In January 2023, the FTC finalized a settlement with Drizly and its CEO after a data breach exposed the personal information of roughly 2.5 million consumers. The kicker? The FTC specifically called out the company's failure
A Single Employee Click Cost MGM Resorts $100 Million In September 2023, MGM Resorts International disclosed a devastating cyberattack that disrupted hotel operations, slot machines, and reservation systems across Las Vegas. The attack vector? A social engineering phone call. A threat actor impersonated an employee, called the IT help desk,
In January 2023, T-Mobile disclosed that a threat actor had stolen data on roughly 37 million customer accounts by exploiting a single API vulnerability. But here's what most people missed in the headlines — the breach went undetected for over a month. That's not just a technology
When MGM Resorts got hit with a devastating social engineering attack in September 2023, it wasn't a firewall failure. It wasn't a zero-day exploit. A threat actor called the help desk, impersonated an employee, and walked right through the front door. The estimated cost? Over $100
In 2022, Medibank — one of Australia's largest health insurers — suffered a breach that exposed 9.7 million customer records. The root cause? Compromised credentials. A single employee's stolen login led to one of the most damaging data breaches in Australian history. Medibank had security awareness training
A $2.6 Million Invoice Nobody Budgeted For In March 2023, the city of Oakland, California declared a state of emergency after a ransomware attack crippled city services for weeks. Systems went offline. Sensitive employee data leaked onto the dark web. The estimated recovery cost? Millions. And the initial entry
In March 2023, the FBI's Internet Crime Complaint Center reported that Americans lost over $10.3 billion to cybercrime in 2022 — a 49% jump from 2021. The vast majority of those losses traced back to failures in basic security practices. Not zero-day exploits. Not nation-state attacks. Basic, preventable
