Explore strategies for building and sustaining a strong security culture within organizations. These articles cover leadership engagement, employee behavior change, security awareness program design, and practical methods for making cybersecurity a shared responsibility across every department.
posts
Your Board Doesn't Care About Completion Rates I sat in a meeting last year where a CISO proudly reported a 97% training completion rate. The board nodded politely. Two months later, a single phishing email led to a credential theft incident that cost the organization $2.3 million
The Breach That Started With a Single Click In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered an IT help desk employee with a phone call that lasted about ten minutes. The attacker didn't exploit a zero-day vulnerability. They didn&
In 2024, the average cost of a data breach hit $4.88 million globally, according to IBM's Cost of a Data Breach Report. The same report found that organizations with security awareness training programs and extensive security AI saved an average of $2.22 million per breach compared
In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered the company's IT help desk with a single phone call. The attackers didn't exploit a zero-day vulnerability. They exploited a person. That incident should make every security leader ask a blunt question:
In January 2024, Microsoft disclosed that a Russian threat actor group — Midnight Blizzard — had breached executive email accounts using a simple password spray attack against a legacy test account that lacked multi-factor authentication. One of the most technically sophisticated companies on the planet, compromised by one of the oldest tricks
In 2020, a mid-sized healthcare provider invested $250,000 in a security awareness program. Twelve months later, the CISO couldn't answer one question from the board: "Is it working?" No baseline measurements. No tracking. No defensible data. That CISO is now updating a résumé. I'
In March 2021, a single employee at a water treatment plant in Oldsmar, Florida clicked through a remote access session that could have poisoned a city's water supply. The attacker gained entry through a shared TeamViewer password — no phishing email required. The incident raised a question that boardrooms
In March 2021, a mid-size law firm in Atlanta lost $2.3 million to a single wire fraud attack. The attacker spoofed the managing partner's email, requested an urgent transfer, and a paralegal complied without hesitation. When the firm investigated, they discovered their annual security awareness program consisted
In March 2020, a single employee at Magellan Health clicked a phishing email that impersonated an executive. The result: a ransomware attack that exposed personal data of over 365,000 individuals. The attacker didn't exploit a zero-day vulnerability. They didn't brute-force a firewall. They sent an
Your Training Program Is Worthless Without Proof In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to the help desk. The company almost certainly had a security awareness program in place. So did Caesars Entertainment, which paid a
