Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
The Hiring Manager Doesn't Care Where You Studied I've reviewed hundreds of resumes for security analyst and incident response roles over the years. Here's what surprises most people: an online computer security degree carries the same weight as one earned on a physical campus
When Target lost 40 million credit card records in 2013, the attackers didn't breach Target directly. They compromised an HVAC vendor. Over a decade later, the playbook hasn't changed — it's just gotten more devastating. Third party vendor cybersecurity risk is now the single fastest-growing
The FTC Just Fined Another Company Millions — Is Yours Next? I was just reading in 2023 the FTC finalized sweeping updates to its Safeguards Rule, and since then, enforcement has only accelerated. Companies like Chegg, CafePress, and Drizly didn't just face fines — their executives were personally named in
The FTC Doesn't Care About Your Good Intentions In 2023, the FTC finalized an order against Drizly — an online alcohol delivery company — after a data breach exposed the personal information of roughly 2.5 million consumers. The kicker? The FTC didn't just go after the company.
In September 2022, a teenager allegedly convinced an Uber employee to hand over access credentials through a simple text message. No zero-day exploit. No sophisticated malware. Just a convincing story and a target who didn't verify the request. That single social engineering attack gave the threat actor access
A Single Email Cost This Company $100 Million In 2017, a Lithuanian man tricked Google and Facebook employees into wiring over $100 million to bank accounts he controlled. His weapon wasn't malware. It wasn't a zero-day exploit. It was email. He sent invoices that looked like
The Phone Call That Cost MGM Resorts $100 Million In September 2023, a threat actor called MGM Resorts' IT help desk, impersonated an employee they found on LinkedIn, and convinced the technician to reset credentials. That single phone call triggered a ransomware attack that disrupted operations across Las Vegas
In March 2024, a finance director at a mid-size manufacturer in Ohio wired $2.3 million to a threat actor who impersonated the company's CEO — all because of a single phishing email. The message looked perfect: right logo, right tone, right email signature. It even referenced an actual
The Click That Cost One Company $47 Million In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a social engineering phone call that led to credential theft and a devastating ransomware attack. The estimated cost exceeded $100 million. The attack vector? A
The Receptionist Who Stopped a $3 Million Wire Fraud In 2023, a business email compromise attack targeted a mid-size manufacturing company in Ohio. The threat actor had spoofed the CEO's email perfectly. The wire transfer request looked legitimate. But a receptionist — someone with zero technical background — noticed the
