Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
In January 2024, a threat actor used credential stuffing to compromise a test environment at Microsoft — and then pivoted to access senior leadership email accounts for weeks before detection. Microsoft. One of the most well-resourced security organizations on the planet. If it can happen there, it can happen to your
The Breach That Started With a Single Stolen Identity In 2023, a midsize accounting firm in the Midwest lost access to its entire client database — not because of a sophisticated zero-day exploit, but because a threat actor used a partner's stolen credentials purchased on the dark web. The
Microsoft's security team reported that accounts protected by multi-factor authentication block over 99.9% of automated attacks. Yet according to the FBI's Internet Crime Complaint Center (IC3), credential theft and account compromise remain among the top reported cybercrime categories year after year. The gap between what
The Attack That Shut Down 100 Romanian Hospitals In February 2024, a ransomware attack hit over 100 hospitals across Romania, forcing them offline and back to pen-and-paper operations. Patient data was encrypted. Emergency services were disrupted. The attack vector? Malware that slipped through a single vulnerable system and spread laterally
A Single Click Cost One Hospital Chain $100 Million In 2024, Change Healthcare was hit by the ALPHV/BlackCat ransomware group. The attack disrupted insurance claims processing for thousands of healthcare providers across the United States. UnitedHealth Group eventually disclosed costs exceeding $870 million related to the incident. The entry
89% of Employees Think They'd Spot a Phish. The Data Says Otherwise. I ran a phishing simulation for a mid-size law firm last year. Before the test, we surveyed staff — 89% said they were confident they could identify a phishing email. Then we sent three simulated phishes over
Most Security Quizzes Are a Waste of Everyone's Time I recently reviewed the cybersecurity training program at a mid-size financial services firm that had been breached through a credential theft phishing email. They had a training program. They had quizzes. Every employee passed with flying colors — 95% average
In March 2025, CISA and the FBI issued a joint advisory warning that the Medusa ransomware gang had compromised over 300 organizations across critical infrastructure sectors — healthcare, education, legal, insurance, and manufacturing. The attack vector in the vast majority of cases? Phishing. Not some exotic zero-day exploit. Not a nation-state
That Gmail Account Access Warning Might Be Real — Or It Might Be the Attack Itself In early 2024, a sophisticated phishing campaign targeted Gmail users with emails that looked exactly like legitimate Google security alerts. The messages warned of suspicious sign-in activity and directed users to a pixel-perfect fake login
In 2023, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated category of fake email — caused adjusted losses exceeding $2.9 billion in a single year. That wasn't from exotic zero-day exploits. It was from emails that looked real but weren'
