This week:
3 – How the bad guys made the good guys become the bad guys.
2 – How the cost of compliance is a bargain.
1 – How we’re all just sardines online.
3 – How the bad guys made the good guys become the bad guys
“This is a masterclass in how criminals exploit human trust in our increasingly digital world. It’s a story of deception so bold, it forces us to confront some unsettling truths about the state of our security.”
Source: KnowBe4 Blog
What’s the story?
A KnowBe4 investigation has revealed that a notorious cybercrime group established a fake cybersecurity firm (complete with a polished brand, interviews, and comprehensive employee onboarding) to recruit unsuspecting cyber security professionals.
Those hired were then instructed to perform security penetration tests ‘on behalf of their clients’.
In reality, they weren’t clients of the firm. They were targets of the cybercrime gang.
Apparently, the gang caused over $1 billion in losses and stole over 100 million payment records across 47 U.S. states and multiple countries.
So what?
The phrase ‘wolf in sheep’s clothing’ comes to mind.
If you need someone to perform a security penetration test of one of your IT systems, make sure you that tester really does have your best interests at heart.
2 – How the cost of compliance is a bargain
“The DPC reprimanded CDETB [City of Dublin Education and Training Board], imposed administrative fines totalling €125,000 and ordered CDETB to bring its processing into compliance with the security requirements of the GDPR.”
Source: Data Protection Commission Press Release
What’s the story?
The DPC recently announced its decision in relation to a data breach in CDETB [City of Dublin Education and Training Board] in late 2018. The breach arose due to weak security on the organisation’s web server, causing the data of 13,000 individuals being exposed.
The organisation has been fined €125,000 and instructed to improve its security measures.
So what?
There are the usual lessons here:
- To reduce the likelihood of a breach, ensure reasonable security measures are in place.
- In the event of a breach, make sure you report the incident to the regulator and to impacted individuals in a timely manner.
All important points that we’ve heard before.
But look at the timelines: The incident happened in late 2018. The DPC inquiry ended in June 2025. That’s almost SEVEN YEARS to reach its final conclusion.
That’s SEVEN years where people across this organisation were interacting with the regulator.
And SEVEN years when they were also probably engaging with legal advisors (who don’t tend to work for free).
What’s my point?
Yes, the time and cost of complying with GDPR and other regulations can be a pain in the ass.
But it’s nothing like the time and cost of not complying.
1 – How we’re all just sardines online.
“The factory processes 40,000 sardines a day. Not one of those fish was specially targeted. The fishermen didn’t care. They just cast their nets and hauled in whatever swam through. That’s how most cyber criminals work.”
Source: Stan Stahl (on SubStack)
What’s the story?
This is a great story and analogy from Stan (c-founder of Secure The Village) about the commonality between fishermen and cyber attackers.
While entertaining us about his latest European travels, he also illustrates how most cyberattacks aren’t usually targeted: attackers cast wide nets across the internet, trying to catch us through our poorly-secured systems or our poorly-secured employees. In other words, organisations often fall victim simply because they’re online and poorly protected.
So what?
Don’t think cyber attackers are only interested in high-value targets.
They’re fishermen.
And we’re sardines.
And we could be caught in their net at any time.