Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
Last month, a finance director at a mid-sized logistics company received a Gmail message that looked exactly like a Google Workspace security alert. The branding was pixel-perfect. The language was flawless. The sender address passed a casual glance test. She clicked, entered her credentials, and within 90 minutes a threat
Last month, a finance manager at a mid-sized logistics company received what looked like a routine DocuSign envelope — a payment authorization supposedly routed through PayPal. She clicked, entered her PayPal credentials on a pixel-perfect fake login page, and within 90 minutes, the attacker had initiated $38,000 in wire transfers.
In May 2021, a single phishing attack against Colonial Pipeline's legacy VPN account triggered the largest fuel supply disruption in U.S. history. One compromised credential. No multi-factor authentication. Five days of chaos across the Eastern Seaboard. That's what a phishing attack looks like when it
The FBI's Internet Crime Complaint Center reported $4.2 billion in losses from cybercrime in 2020 — and phishing scams were the number one reported attack type, with 241,342 complaints. That's not a typo. Nearly a quarter of a million people filed formal complaints about phishing
In December 2020, the world learned that SolarWinds — a company whose software sat inside thousands of government and corporate networks — had been compromised by a sophisticated nation-state threat actor. The initial intrusion vector? Targeted, carefully crafted communications designed to exploit trust. If you're asking what is spear phishing,
In March 2021, the FBI's Internet Crime Complaint Center reported that business email compromise — often launched using a fake mailer or spoofing tool — cost American organizations over $1.8 billion in 2020 alone. That made it the most financially damaging cybercrime category in the entire IC3 report, dwarfing
In May 2021, a single compromised password shut down Colonial Pipeline — the largest fuel pipeline in the United States. Gasoline shortages spread across the Southeast. The company paid a $4.4 million ransom in Bitcoin. The root cause wasn't some exotic zero-day exploit. It was a legacy VPN
Colonial Pipeline. JBS Foods. SolarWinds. The first half of 2021 has delivered a masterclass in what happens when cyber security fails at scale. Colonial paid $4.4 million in ransom. JBS paid $11 million. And the SolarWinds fallout — which compromised nine federal agencies and over 100 private companies — is still
Colonial Pipeline shut down 5,500 miles of fuel infrastructure last month because of a single compromised password. One password. No multi-factor authentication. That's the state of security for system administrators in 2021 — and it's a wake-up call that keeps echoing across every industry. I'
Colonial Pipeline. SolarWinds. Microsoft Exchange. We're barely halfway through 2021 and the breach headlines are relentless. But here's what frustrates me most: the majority of these incidents didn't exploit exotic zero-day vulnerabilities. They exploited basic IT security gaps that organizations have known about for
