The Cybersecurity and Infrastructure Security Agency (CISA) recently published guidance to help small businesses make themselves more cyber secure. Why? The reason given is that there has been an increasing number of attacks launched against small businesses.

What do you think of when you hear the word malware? 👉 Most people think of computer viruses, email attachments, or web pop ups. (The most common type of malware is a Microsoft Office Macro attached to an email.)Cyber attackers are creative and now using TikTok to target their victims.

Is Slack a trusted platform for communication? The short answer is yes. The longer answer is that you should always be skeptical of messages, and especially requests, that you get on any communication platform - Slack, Teams, email, LinkedIn, social media, etc.

I assume all of my passwords are either already in a breach and are available for sale on the dark web or that they will be in a breach at some point. Data breaches are so incredibly common and the scale of breaches so huge that there are billions of passwords available on the dark web.

What's the best way to evaluate a security awareness vendor? In a crowded market, people often harp on price as the competition drives it down. But, what is often missing is an assessment of roadmap. As tech and work changes rapidly, your security awareness vendor should change in step.

The first order problem to solve with security awareness is to improve the human behaviors that improve the overall security posture of a company.Human risk is a lagging indicator of human behavior. In order to be proactive, we have to flip the concept of human risk and focus on human behavior.

Phishing campaigns are a part of most security awareness programs. Whether companies use security awareness training and a phishing simulator from the same vendor or not, there are a few best practices we recommend for integrating phishing into your security awareness program.

Slack is the lifeblood of many modern companies. As a core part of modern work, training and LMSs should be connected to users in Slack yet most training platforms fall short of fully integrating into Slack and into the flow of work.

Every negative connection - message, training, nudge, alert, etc. - between employees and infosec is not just a missed opportunity but pushes employees further from security. And, given the state and scale of direct user threats today, every employee should be more closely aligned with security.

Data is, or at least should be, the lifeblood of an effective information security program. One source of data that is typically missing from an infosec program is user, or employee driven data. Your employees are on the front lines. They see things you may not be able to see .

Device security has evolved over the last 10-20 years. With new devices (employee-owned smartphones) and new technologies (SaaS and the cloud), the role of devices in modern work and the field and approaches to device security have shifted almost entirely.

The dark web is a treasure trove of information, data, and malicious software. Most people do not know about the dark web and, if they do, they don’t really know what is available on it. For both professional and personal reasons, I worry about the dark web a lot. Here's why.

Phishing campaigns and phishing simulators have become a part of security awareness training. Using phishing campaigns to continuously iterate and improve your security awareness program will reduce your human risk in a compounding trajectory.

Holiday shopping kicks off this month. One of the major events is Black Friday in which shops offer special sales and discounts.Every year, as retailers try to get you to buy something on Black Friday, Cyber attackers try to scam you using fake messages, links, and websites.

Security awareness companies need core LMS features to enable customers to be able to get value from their training content. But what is an LMS? An LMS has a set of core required features, which we listed above. A Slack LMS integrates Slack into the workflows of all of these features.

The real risk of human actions has increased as more technology has moved to the cloud and more workflows have moved to SaaS (Slack, Google Workspace, Microsoft 365, Salesforce, Workday, etc.). Human risk today is driven by user decisions in SaaS apps. And security awareness hasn't kept pace.

The most recent Forrester Wave: Security Awareness & Training (SA&T) report was released a few months ago. The report lands at the following conclusion: security awareness training market is in need of disruption. We could not agree more.

The magazine Fast Company was recently hacked. After gaining access, the attackers sent offensive push notifications to users via the Apple News app. Apple disabled the Fast Company news account. It was easy for the attackers because Fast Company used default, easy to guess passwords.

If you are shopping for a security awareness vendor, you have Netflix-style variety at your fingertips. The problem is, users aren’t looking for new forms of content to teach them the same lessons. Security awareness needs a new approach, not new content covering the same topics.

My First Million is a popular business and technology podcast. In a recent episode, Shaan Puri (@ShaanVP) and Steph Smith (@stephsmithio) of a16z discussed social engineering and the phishing simulation market that grew to try to address it. We break down what we learned from hearing them talk.

🎃 Happy Halloween!In the spirit of the season, we wanted to debunk, and de-scare, some of the myths about social engineering. Social engineering is:the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

👩‍💻 Optus, a huge telcom in Australia, recently had a data breach. Last week, Optus was adamant that “human error” was not a factor in the breach - “Optus has strenuously denied "human error" being a contributing factor in a data breach….”. Wait, what?!?!

Security is a core competency that every person should possess. This does not mean every person should be a security or cybersecurity expert. The primary way to accomplish this is with a security mindset. And building a security mindset is a lot like building strength in a muscle.

An LMS is a learning management system. It is general purpose and can be used for any training topic. Security awareness is a form of training focused on security related topics. This post dissects how to run both concurrently because they are fundamentally different tools with different features.

While phishing simulations have value as a part of a broader security awareness program, continuous forms of security training are more effective at building a security mindset and better security hygiene. Phishing simulations should be seen as a means to measure effectiveness of security training.