Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
The Breach That Started With a Single Slack Message In September 2022, a threat actor sent a social engineering message to an Uber employee, pretending to be IT support. The employee handed over credentials. Within hours, the attacker had access to internal systems, the company's HackerOne vulnerability reports,
The Breach That Started With a Single Slack Message In September 2022, a threat actor sent a push notification to an Uber contractor's phone — over and over, for more than an hour. The contractor eventually approved the multi-factor authentication request just to make it stop. That single moment
Your Board Doesn't Care About Completion Rates I sat in a boardroom last year where a CISO proudly presented a 97% training completion rate. The CFO's response: "So why did we just pay $2.3 million to recover from a ransomware attack?" That question
Your Training Program Might Be Failing — and You'd Never Know In 2024, IBM's Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. Organizations with security awareness training and incident response planning cut that number dramatically. But here's
A 45-Minute Training Video Nobody Watched In 2023, a mid-size healthcare company I consulted for spent $60,000 on a compliance-focused security awareness program. It featured a 45-minute narrated slideshow, a 10-question quiz, and a certificate of completion. Their post-training phishing simulation results? A 31% click rate — virtually unchanged from
A Single Click Cost One Company $100 Million In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack — a threat actor called the help desk, impersonated an employee, and gained access to internal systems. The entire breach hinged on human behavior, not a firewall failure. That
In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to a help desk. The attackers didn't exploit a zero-day vulnerability. They didn't write exotic malware. They called IT support, impersonated an employee, and got
The SEC Changed Everything — Most Boards Still Haven't Caught Up In July 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents within four business days and to describe their board's oversight of cyber risk annually. Since then, I've reviewed dozens
A Single Email Cost This Company $47 Million In 2015, Ubiquiti Networks disclosed that threat actors used a CEO fraud email scam to trick finance employees into wiring $46.7 million to overseas accounts controlled by attackers. The emails looked like routine requests from senior executives. No malware was involved.
The CEO Who Wired $47 Million to a Threat Actor In 2016, Austrian aerospace manufacturer FACC lost €42 million (roughly $47 million) after attackers impersonated the company's CEO via email and convinced an employee in the finance department to transfer funds for a fake acquisition project. The CEO
