Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
Your Employees' Passwords Are Already for Sale In March 2024, a single dark web marketplace listed over 10 billion stolen credentials. That's not a typo. The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past
Your Stolen Password Is Probably Already There In 2024, a single dark web marketplace called BreachForums was seized by the FBI — and then resurrected by its users within two weeks. That tells you everything about the persistence of the underground economy. If you've ever wondered what is the
In May 2024, the FBI and international partners seized BreachForums — one of the largest marketplaces where stolen credentials on the dark web were bought and sold in bulk. The forum had facilitated the sale of billions of compromised records, including credentials tied to U.S. government agencies, healthcare organizations, and
In January 2024, a threat actor used credential stuffing to compromise a test environment at Microsoft — and then pivoted to access senior leadership email accounts for weeks before detection. Microsoft. One of the most well-resourced security organizations on the planet. If it can happen there, it can happen to your
The Breach That Started With a Single Stolen Identity In 2023, a midsize accounting firm in the Midwest lost access to its entire client database — not because of a sophisticated zero-day exploit, but because a threat actor used a partner's stolen credentials purchased on the dark web. The
Microsoft's security team reported that accounts protected by multi-factor authentication block over 99.9% of automated attacks. Yet according to the FBI's Internet Crime Complaint Center (IC3), credential theft and account compromise remain among the top reported cybercrime categories year after year. The gap between what
The Attack That Shut Down 100 Romanian Hospitals In February 2024, a ransomware attack hit over 100 hospitals across Romania, forcing them offline and back to pen-and-paper operations. Patient data was encrypted. Emergency services were disrupted. The attack vector? Malware that slipped through a single vulnerable system and spread laterally
A Single Click Cost One Hospital Chain $100 Million In 2024, Change Healthcare was hit by the ALPHV/BlackCat ransomware group. The attack disrupted insurance claims processing for thousands of healthcare providers across the United States. UnitedHealth Group eventually disclosed costs exceeding $870 million related to the incident. The entry
89% of Employees Think They'd Spot a Phish. The Data Says Otherwise. I ran a phishing simulation for a mid-size law firm last year. Before the test, we surveyed staff — 89% said they were confident they could identify a phishing email. Then we sent three simulated phishes over
Most Security Quizzes Are a Waste of Everyone's Time I recently reviewed the cybersecurity training program at a mid-size financial services firm that had been breached through a credential theft phishing email. They had a training program. They had quizzes. Every employee passed with flying colors — 95% average
