Access guidance on designing and implementing employee security training programs that reduce human risk. Topics include security onboarding, ongoing awareness campaigns, compliance requirements, and measuring training effectiveness across your organization.
posts
The 82% Problem Nobody Wants to Own The 2022 Verizon Data Breach Investigations Report found that 82% of breaches involved a human element — phishing, stolen credentials, misuse, or simple error. That number has barely budged in years. And yet most organizations still treat cybersecurity awareness training as a checkbox exercise:
In March 2022, Lapsus$ — a threat actor group largely composed of teenagers — breached Microsoft, Nvidia, Samsung, and Okta. They didn't use sophisticated zero-day exploits. They used social engineering. They bought credentials. They tricked employees. And they walked through the front door of some of the most well-resourced security
One Click Cost This Company Everything In March 2022, a single employee at Nvidia clicked something they shouldn't have. The Lapsus$ threat actor group walked away with over a terabyte of proprietary data, including employee credentials and source code. Nvidia isn't a small shop with weak
Last October, while organizations across the country were hanging "Think Before You Click" posters in their break rooms, the FBI's Internet Crime Complaint Center was logging over 847,000 complaints representing nearly $7 billion in losses for 2021. That's roughly a 7% increase in
In December 2021, a 35-person accounting firm in Ohio paid a $150,000 ransom after one employee clicked a link in a fake DocuSign email. The firm had no cybersecurity training program. No phishing simulations. No written security policy. The threat actor was inside their network for eleven days before
The Policy Nobody Reads Until It's Too Late In December 2020, a SolarWinds employee reportedly used the password "solarwinds123" on a critical server — a credential so weak it became a punchline at Congressional hearings. But here's the question nobody asked loudly enough: did SolarWinds
The Fine That Changed Everything for One Healthcare Provider In October 2020, the U.S. Department of Health and Human Services fined Premera Blue Cross $6.85 million after a data breach exposed 10.4 million records. The root cause wasn't some exotic zero-day exploit. It was a
The Breach That Started with a Single Employee In May 2021, a single compromised password shut down Colonial Pipeline and triggered fuel shortages across the Eastern United States. The credential was tied to a legacy VPN account that lacked multi-factor authentication. One employee. One password. $4.4 million in ransom
A $4.24 Million Wake-Up Call IBM's 2021 Cost of a Data Breach Report found the average breach now costs $4.24 million — the highest in the report's 17-year history. But here's the number that keeps me up at night: 85% of breaches involved
In 2020, a mid-sized healthcare provider invested $250,000 in a security awareness program. Twelve months later, the CISO couldn't answer one question from the board: "Is it working?" No baseline measurements. No tracking. No defensible data. That CISO is now updating a résumé. I'
