Access guidance on designing and implementing employee security training programs that reduce human risk. Topics include security onboarding, ongoing awareness campaigns, compliance requirements, and measuring training effectiveness across your organization.
posts
In March 2021, a single employee at a water treatment plant in Oldsmar, Florida clicked through a remote access session that could have poisoned a city's water supply. The attacker gained entry through a shared TeamViewer password — no phishing email required. The incident raised a question that boardrooms
A $150 Investment vs. a $4.24 Million Breach In March 2021, CNA Financial — one of the largest insurance companies in the U.S. — paid a reported $40 million ransom after a ransomware attack that started with a single employee interaction. That's not a typo. Forty million dollars
In March 2021, a single employee at a water treatment facility in Oldsmar, Florida clicked through a remote access session that could have poisoned an entire city's water supply. The attacker didn't use a sophisticated zero-day exploit. They used a shared TeamViewer password and the fact
In July 2020, a teenager convinced Twitter employees to hand over internal credentials through a phone-based social engineering attack. The result: hijacked accounts belonging to Barack Obama, Elon Musk, Joe Biden, and Apple — broadcasting a Bitcoin scam to hundreds of millions of followers. The attacker didn't exploit a
In March 2021, a single employee at a water treatment plant in Oldsmar, Florida, watched someone remotely take control of their screen and attempt to increase sodium hydroxide levels to dangerous concentrations. The attacker got in through a shared TeamViewer password. No advanced exploit. No zero-day. Just poor cybersecurity awareness
The Click That Cost One Company $46 Million In 2020, Ubiquiti Networks disclosed a breach that started with a single employee's compromised credentials. Attackers impersonated company executives, manipulated employees through social engineering, and walked away with $46.7 million in fraudulent wire transfers. The technology was fine. The
In 2020, a 10-person accounting firm in Oregon lost $1.2 million after an employee clicked a single phishing link. The attacker impersonated the firm's bank, harvested credentials, and drained operating accounts over a weekend. No malware. No Hollywood hacking. Just one untrained employee and a well-crafted email.
In March 2020, the FBI's Internet Crime Complaint Center received nearly as many cybercrime complaints in a single month as it typically handled in an entire quarter. By the time the 2020 IC3 Annual Report dropped, the numbers were staggering — 791,790 complaints and over $4.2 billion
The Policy Nobody Reads Until It's Too Late In 2023, a single employee at MGM Resorts called the help desk, and a threat actor used social engineering to gain access that led to a $100 million hit on operations. One phone call. No malware exploit. No zero-day vulnerability.
The Audit Finding That Costs More Than the Breach In 2023, a regional healthcare provider in Oklahoma paid a $1.3 million HIPAA settlement to the Office for Civil Rights. The root cause wasn't a sophisticated nation-state attack. It was a phishing email that an untrained employee clicked
