Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
In 2023, a single reused password gave threat actors access to 23andMe's credential stuffing attack, ultimately exposing the genetic data of 6.9 million users. The attackers didn't exploit a zero-day vulnerability. They didn't deploy sophisticated malware. They simply tried known username-password combinations from
A $1.3 Million Fine for Skipping the Basics In 2023, the FTC settled with Drizly and its CEO after a data breach exposed roughly 2.5 million customer records. The root cause? The company failed to implement basic security measures — including adequate employee security training. The FTC's
The Breach That Started With a Single Password In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attackers didn't exploit some exotic zero-day vulnerability. They used basic social engineering — information scraped from LinkedIn
A Single Phone Took Down an Entire Pipeline In 2021, a compromised password — likely harvested from a mobile device or reused across platforms — gave threat actors access to Colonial Pipeline's VPN. The result: fuel shortages across the Eastern United States, a $4.4 million ransom payment, and a
In March 2024, a finance employee at a Hong Kong multinational wired $25 million to threat actors after clicking a single link in what appeared to be a routine email from the company's CFO. That link led to a deepfake video call — but it started with something deceptively
When Colonial Pipeline paid $4.4 million in ransom after a single compromised password shut down fuel delivery across the Eastern Seaboard, it wasn't a failure of exotic technology. It was a failure of fundamentals — the exact fundamentals the NIST Cybersecurity Framework was designed to address. I'
The IRS Call That Cost a Hospital $1.5 Million A CFO at a mid-sized hospital picked up the phone. The caller ID showed the IRS main line. The voice on the other end was professional, urgent, and specific — citing the organization's actual EIN and a pending audit.
The Threat Already Inside Your Network In 2023, Tesla disclosed that two former employees had leaked the personal data of more than 75,000 workers to a German news outlet. It wasn't a sophisticated hack. It wasn't a nation-state threat actor. It was people who already
A Castle With No Walls Left to Defend In January 2024, Microsoft disclosed that the Russian threat actor Midnight Blizzard had compromised executive email accounts — not by breaching a firewall, but by password-spraying a legacy test tenant account that lacked multi-factor authentication. The attackers moved laterally for weeks before detection.
A Single Click Cost Change Healthcare $22 Million in Ransom In February 2024, the BlackCat/ALPHV ransomware group crippled Change Healthcare — a company processing roughly one-third of all U.S. health claims. UnitedHealth Group confirmed paying a $22 million ransom. Patient data for over 100 million individuals was compromised. The
