Cyber Security Webinar Transcript

Webinar Introduction and Overview

Welcome and Speaker Introductions

Well, thank you so much for attending today’s webinar. For those of you who don’t know me, my name is Nick Swedberg. I’m a partner here at Boyum, and we are very excited and grateful to have Peter Durand with us today. Peter is an owner of Imagine IT, and I’ll let him provide a more complete introduction in a moment. His credentials are extensive, and we’ll cover those shortly.

Webinar Logistics and Participation Instructions

This webinar is being recorded and will be available on our website shortly after we receive the recording from Zoom. If you have questions during the presentation, Peter has graciously agreed to address them as we go if they relate to the topic being discussed. Please use the chat feature at the bottom of your screen and send your questions to the public chat. If you have a question, there’s a good chance someone else is wondering the same thing. I may interject with questions as they arise, save some for later if they’ll be addressed in upcoming slides, or hold a few until the end.

Transition to Speaker

With that, Peter, would you like to tell us about this interesting map we’re looking at? Sounds good. Thank you, Nick.

Opening Remarks and Framing

Introduction to the Session

I’ll give a more complete introduction in a minute, but first, thank you all for taking the time to attend this important session. This presentation is unlike any cybersecurity presentation you’ve attended before. It’s action-packed, and some of the content may be disturbing. Today, I’m going to share the harsh realities of cybercrime—things that most news sources aren’t telling you.

Why Cybercrime Is Underreported

Why aren’t they talking about it? Because cybercrime doesn’t generate clicks and ad revenue. It isn’t ragebait. As a result, much of it gets buried. Unless you work directly in the security community, you rarely hear about what’s really happening.

Preventional Wisdom Concept

We’ve all attended presentations before, but how much do we actually remember and act on afterward? I’ve tried to solve for that. This presentation is packed with practical and actionable takeaways, and to help ensure you put them into practice, there will be homework assignments for all attendees. My goal is for you to leave with what I call ‘preventional wisdom.’ Do the homework—it will help you protect your country, your business, your clients, and your family.

Cyber Warfare Overview

What the Map Represents

Now, what are we looking at on the screen? This is a live view of cyber warfare involving more than 100,000 criminals and defenders around the world. That number doesn’t even include the more than 200,000 trafficked individuals being forced to work in scam centers, stealing money from victims across the globe.

The World Is at Cyber War

The world is at war. I’m not talking about conventional warfare. The world has been engaged in this cyber war for years, and it will continue for years to come. It isn’t a ‘tanks rolling down Main Street’ kind of war. If it were, it would dominate the front page every day. Instead, it’s an invisible conflict that most people rarely hear about.

This is an arms race that we are currently losing to adversarial nations and organized crime. Whether we like it or not, every one of us is on the front lines of defense for our country, our businesses, our clients, and our families. From the perspective of the United States, you’re not going to see enemy tanks rolling through your town. This is what war looks like for us in 2026 and beyond.

Presentation Agenda

Now, let’s talk about today’s presentation. We’re going to cover topics and realities that many of you have never seen or heard before. We’ll examine the current threat landscape and discuss practical ways to better protect your organizations and families.

Speaker Background

A little about myself: I started an IT services company nearly 30 years ago. I’m highly technical and lead a sizable team. While my business partners oversee other aspects of the company, I focus on security and privacy. Those areas require dedicated attention because they are so critical in today’s environment.

I spend a significant amount of time following the best thought leadership available on artificial intelligence, cybersecurity, cyber insurance, legal developments, and incident response. I provide cyber risk coaching to business leaders and deliver webinars like this several times each week.

Today’s webinar combines elements of two presentations I typically give. One focuses on educating business leaders about cybersecurity responsibilities and risk management. The other is designed for end users and goes much deeper into helping individuals avoid mistakes that could jeopardize their companies or families. This presentation blends both perspectives.

Threat Landscape Overview

We’ll discuss why every organization is at risk. Hopefully, we all recognize by now that everyone is a target. The goal is not to be the easiest target. We’ll talk about why executives—not IT departments—ultimately own cybersecurity outcomes, and why leadership cannot assume someone else has it covered. In many ways, cybersecurity needs to be approached with the same level of engagement and oversight as finance.

We’ll also touch on AI use policies and discuss how a strong security posture can positively influence business valuation. And, yes, there will be homework at the end.

As Nick mentioned, please use the webinar chat feature for questions. The recording will be available within a day or two, and we’ll also provide a PDF copy of the presentation.

The Dark Web and Cybercrime Ecosystem

Let’s begin by discussing the current threat landscape.

To understand modern cybercrime, we need to start with the dark web. Think of the internet as an iceberg. The portion above the waterline—the part accessible through Google searches—represents only about 4% of the internet. Despite Google’s massive reach, it can only access a small fraction of what exists online because most information resides behind passwords, firewalls, and legitimate systems where our data is stored.

Now consider the dark web. It represents roughly 6% of the internet, making it larger than the portion accessible through Google. It is enormous.

What happens there? Criminals conduct business. Contraband is bought and sold. Criminal organizations collaborate and operate sophisticated supply chains that mirror legitimate businesses.

Some criminal groups specialize as access brokers. Their sole purpose is to gain access to corporate networks and then sell that access to other groups, such as ransomware operators. More advanced groups build turnkey cybercrime tools that less-skilled criminals can rent or purchase.

A few years ago, only a relatively small number of highly skilled attackers possessed these capabilities. Today, those skills have been packaged, commoditized, and distributed. Turnkey ransomware kits, phishing kits, and attack frameworks allow low-skilled attackers to launch highly sophisticated campaigns.

The result is that cybercrime has become industrialized.

Cybercrime Impact and Statistics

When attackers obtain sensitive company data, they may attempt to sell it on the dark web or demand a ransom. What I find particularly remarkable is how these groups have effectively franchised cybercrime. Major ransomware organizations teach or license their methods to smaller groups, taking a percentage of the ransom payments in return.

This trend accelerated significantly around 2021. Attack techniques became easier to access, easier to execute, and more scalable. Today, criminals target everyone, businesses, nonprofits, schools, churches, and individuals. If you have a bank account or sensitive information, you are a target.

One particularly alarming statistic is the speed of modern attacks. The average time from initial access—such as a user clicking a malicious link or falling victim to a social engineering call, to successful lateral movement within a network is only 18 minutes.

Why are attackers so fast? Because they have playbooks. They know how Microsoft systems work. They know Apple systems, Linux, Android, and iOS. Once they gain access, they quickly determine what environment they are in and execute prebuilt attack sequences, often enhanced with AI.

There are more than 800 U.S. businesses victimized by ransomware every quarter. Most never make the news. Roughly three-quarters of the victims are small and midsized businesses.

In approximately half of ransomware incidents, attackers successfully destroy or compromise backups, leaving organizations with limited recovery options. Even among companies that pay ransoms, only about 10% fully recover all of their data.

For that reason, I strongly discourage paying ransoms whenever possible. Beyond the uncertainty of data recovery, ransom payments fund criminal organizations and contribute to a broader economic drain. Hundreds of billions of dollars leave the United States annually through cybercrime, generating no economic benefit in return.

Many organizations believe multifactor authentication is enough to stop attackers. It is not. While MFA remains essential, attackers have developed numerous methods to bypass or exploit it.

Government agencies are also struggling. Many operate aging legacy systems that are expensive and difficult to secure. Modernization efforts often require billions of dollars, creating significant challenges.

Artificial Intelligence and Cybercrime

Artificial intelligence is accelerating these threats. AI enables attackers to create more sophisticated malware and dramatically improve phishing campaigns. Tools like ChatGPT, Gemini, and Copilot allow non-native English speakers to generate convincing phishing emails without spelling or grammatical errors.

I spend a lot of time helping businesses understand how to achieve a return on investment from AI. Criminals have already figured it out. The attackers using AI are becoming significantly more efficient and profitable.

Today, more than half of all internet traffic is generated by bots. These automated systems create fake accounts, generate malicious traffic, and launch attacks at a scale that would be impossible manually.

Although ransomware attacks continue to increase, ransom payments have declined somewhat as organizations improve backup protection and recovery capabilities. However, data breach litigation and class-action lawsuits have increased substantially.

Major Data Breach Example

One major example occurred in 2024 when National Public Data, a background screening service, suffered a breach involving billions of records. The compromised information included names, former names, Social Security numbers, addresses, criminal history, known associates, and other highly sensitive data.

As a result, criminals now possess enough information to facilitate identity theft and highly convincing social engineering attacks. One of your homework assignments later will be to look up your own record, review what information is available, and opt out where possible.

According to Interpol, financial fraud losses exceeded $400 billion globally in 2025 alone, not including ransomware.

Two-thirds of all cyber incidents today involve credential theft or account takeover. Attackers frequently target email accounts, payroll systems, banking portals, and online retail accounts because these attacks are often more profitable and less risky than ransomware.

Cybercrime is now considered the world’s third-largest economy, generating an estimated $10 trillion annually. Electronic currency has played a major role in enabling this growth.

Ultimately, everyone pays the price. Whether directly through victimization or indirectly through higher prices, the cost of cybercrime is embedded into the products and services we purchase every day. Just as retailers factor theft into pricing, businesses now factor cybercrime losses into the cost of doing business.

We are all paying for it.

Human Cost and Ethical Implications

Okay, here’s some of the disturbing content.

Primarily in Southeast Asia, in corrupt governments that are friendly to cyber criminals, they have what we call huge office compounds known as scam centers. The scam centers generally have workers in them who are working against their will. Say you live in Africa and find a cool job online. You go through an application process, get interviewed, everything looks great, and they hire you. You fly to this country, maybe even bring your family with you, and the second you walk into this huge office compound, you’re held captive. They take away your passport, ID, money, and cell phone. You’re forced to commit cybercrime and hit a quota. If you do not hit your quota, you’re subject to physical violence. Your family could be subject to physical violence, and in some cases, prostitution.

Why do I tell you this? Because if you’re a victim of cybercrime, yes, it sucks. You just lost money. Maybe you’re dealing with identity theft, which is actually pretty serious. But you’re also facilitating this disgusting industry. You’re facilitating downstream harm to other human beings. If we would all stop becoming victims, this industry would go away. We all have an obligation not to become victims, which means we all need to get educated and avoid making these mistakes.

Emerging Cyber Threat Groups

Here’s some more of the disturbing stuff. There’s a group out there called “The Com.” They go by other names as well. They have three primary factions. Hacker Com primarily focuses on traditional cybercrime, ransomware, and related activity. IRL Com, which stands for “in real life,” enables physical violence for hire. If you don’t make your ransom payment, or if you post something online that upsets somebody, they might send someone to your house to physically harm or kill you. They may dox you, meaning they publicly post where you live and where your children go to school. Or they might swat you by sending law enforcement to your house.

Extortion groups generally target young adults by persuading them to send embarrassing photographs and then extorting them. Teenagers have committed suicide over these situations. We need to stop becoming victims so these groups go away.

AI Risks and Governance Concerns

Artificial intelligence is becoming a scary thing. I think all of us have a little bit of fear around it. We have huge data centers being built all over the world, and there still aren’t enough of them. They’re consuming enormous amounts of energy and power, and governments are trying to figure out how they’re going to support that demand.

What concerns me most is that the world is not united on AI governance. It’s an arms race. Corporations, governments, and adversarial nations are all racing to build the strongest AI systems. There really aren’t many guardrails in place. Agentic AI—the type of AI that can make decisions on behalf of humans, is being rolled out rapidly in all kinds of environments. I’m concerned about the types of decisions and responsibilities that may eventually be handed over to these systems.

Some of you may have heard about Anthropic’s arrangement with the Department of Defense. Anthropic said, “Yes, you can use our product, but we want some rules around how it’s used.” One of those rules was that it wouldn’t be used in connection with nuclear weapons. The government responded that it didn’t want restrictions. Those kinds of conversations are concerning. And it’s not just the United States. Cyber criminals are using AI as well, including agentic AI, and I know they aren’t going to follow any safeguards.

Later in the presentation, we’ll talk about AI use policies for employees.

Moral Implications of Cybercrime

We’ve already touched on the moral issues. We do not want to fund criminals. If that criminal organization is connected to countries like North Korea or Iran, which face heavy sanctions and financial constraints, cybercrime revenue may be helping fund missile programs and other activities. We don’t want to be victims. If you pay a ransom, you’re encouraging them to attack someone else.

The bad guys will often promise to delete your data. A couple of years ago, the FBI seized the servers of what was then the world’s largest ransomware group, LockBit. What did they find? They found all the victim data that had supposedly been deleted. It was still there. We cannot trust criminals.

When your organization is compromised, you’re exposing data that largely isn’t yours. It’s your employees’ data. It’s your clients’ data. You have an obligation to protect it. And when you’re compromised, you expose the people in your business and personal circles as well.

We’ve all received that random email from someone we know telling us to click a strange link. You probably became suspicious immediately. That person was likely compromised. Maybe they didn’t take security seriously enough, and now they’ve put everyone around them at risk. Identity theft and cybercrime have such a serious impact on some people that they contemplate suicide. This is a serious issue, and I wish it received more media attention than it does.

Ransomware Evolution

Let’s talk about ransomware.

When ransomware first appeared, attackers would simply encrypt your computer or network. You’d receive a ransom note and decide whether or not to pay. A lot of people chose not to pay, so the criminals adapted.

Now, if your organization gets encrypted and refuses to pay, the attackers may respond by saying, “Fine. We’ll publish all the sensitive data we downloaded from your employees and clients unless you pay.”

If you still refuse, they may launch a massive bot attack to cripple your network and disrupt your operations.

If you continue refusing, they may contact your clients directly and tell them that your organization doesn’t take security seriously. They may even demand ransom payments from your clients.

They will do almost anything they can to get paid.

Real-World Ransomware Examples

Here are a couple of examples.

About a year ago, PowerSchool, one of the largest K–12 education platforms in North America, experienced a ransomware incident. Attackers downloaded faculty, staff, and student data from approximately 18,000 schools. PowerSchool paid the ransom. Did the criminals delete the data? No. They kept it.

The attacker then sent ransom demands directly to the schools, threatening to publish confidential information unless additional payments were made.

Another recent example involved Canvas and its parent company. They experienced a similar attack. Criminals stole the data and began threatening schools. In this case, the company paid the ransom. Personally, I don’t trust that the data was actually deleted.

In the PowerSchool case, authorities eventually identified and arrested the perpetrator. It turned out to be a single individual in their late teens who likely learned many of these techniques through resources shared in criminal communities online.

A lesson learned: If you ever receive a ransom note, don’t engage with the attacker. Pretend you don’t exist. Forward the communication to the appropriate people in your organization and let trained professionals handle it.

Case Study: CFO Ransomware Experience

I want to share a brief story.

Doug is the CFO of a Midwest service company. About two years ago, they experienced a ransomware event. We took over management of their network about six months afterward. He was kind enough to record a short video about the experience.

Doug explained that before the incident, they believed they were too small to be targeted. They assumed cyber criminals only pursued large organizations and thought their IT team had everything covered. They were wrong.

The ransomware event and recovery process were far worse than they imagined. Business interruption caused significant financial losses. He spent months on conference calls and recovery efforts. Even after employees returned to work, he was still trying to catch up. Organizational morale suffered as well.

His advice was simple: Don’t skimp on cybersecurity. Partner with a mature, security-focused managed services provider. Make sure you have secure backups. Invest in cyber insurance to help mitigate risk.

That was a powerful message.

Business Impact and Aftermath

In both versions of this webinar, I share Doug’s story because it started with a simple end-user mistake. We’re all human, and the attackers are smart. But from a leadership perspective, the lesson is even more important: Nobody is too small to be targeted.

The aftermath of an incident is often much worse than people imagine. Even years later, organizations may still be dealing with attorneys, insurance claims, compliance issues, and reputational damage.

Organizations often ask questions afterward such as:

Why did we wait to prioritize security spending?
Will our reputation be damaged?
Will we be sued?
Will regulators investigate us?
Will I personally be held accountable?
Will this force us to raise prices?

In fact, I recently saw a statistic showing that roughly 30% of small businesses have had to raise prices after a major cyber incident simply to recover costs and maintain profitability.

Leadership Responsibility

Which brings us to the central theme of this presentation:

Who is ultimately responsible for preventing an existential event within your organization?

Is it IT? No.

IT owns some of the blocking and tackling, but they do not own the outcome. The responsibility belongs to executives, CEOs, boards of directors, and executive leadership teams.

Those leaders are ultimately accountable for cybersecurity outcomes.

Leadership Accountability (Continued)

Part of the challenge is that many leaders don’t know how to engage with cybersecurity the same way they engage with finance. CEOs understand they own financial outcomes, even though they aren’t doing the accounting themselves. They know how to ask questions and hold people accountable.

Finance has centuries of established standards and best practices. Cybersecurity is relatively new, evolves rapidly, and is often less familiar to leadership teams.

Most executives understand that poor financial controls are dangerous, but they often underestimate cyber risk until it becomes personal. Like Doug said, it wasn’t until after the incident that they realized how serious the threat really was.

Cybersecurity is not an IT task. It is a business risk.

A useful analogy is that cybersecurity is to IT and data what financial controls are to accounting. IT operates the security program, but leadership owns the risk, just as leadership owns financial risk.

Financial Comparison Framework

Some questions a CEO should regularly ask the CFO include:

How is our financial position changing, and why?
What risks could materially impact our financial stability?
What controls ensure our numbers are accurate?
What keeps you up at night financially?

These questions assume the CFO has a process, can explain it, and can provide evidence to support it.

Similarly, before signing financial statements, a CEO might ask:

What could materially be wrong with this information?
What controls prevent fraud or material errors?
What has changed since last quarter that increases risk?
If we were audited tomorrow, where would you be most concerned?

Applying Leadership Questions to Cybersecurity

Those same principles apply to cybersecurity, and they lead naturally into the next section: the questions CEOs should be asking their IT and security leadership.

What event could materially harm our business? Again, think of this like those pre-signoff questions. Where are we most exposed today? Show me. Give me some evidence. Help me understand this because I don’t understand it as well as finance. I don’t need it to be too technical.

How do we prevent or detect that? If we had a serious incident tomorrow, what would I wish I had asked you today?

Again, I love that question. It moves ownership up to the top of the food chain. IT does the blocking and tackling, but leadership owns the outcome. Cybersecurity deserves the same critical questions as finance—before an incident, not after.

How Modern Hacking Works

Let’s talk a little bit about how modern hacking works. Today, attackers rely heavily on open-source intelligence. They gather information from company websites, social media posts, public records, and data that may already be available on the dark web. They also use generative AI tools like ChatGPT, Gemini, and Copilot to help identify the most effective ways to attack organizations.

Breaking through a properly configured firewall is difficult, which is why most attacks now begin with spear phishing. We should assume that at some point someone will make a mistake and an attacker will gain access. The incidents you hear about in the news—and the thousands you don’t—typically involve attackers getting past antivirus software, firewalls, and multifactor authentication. Once inside, they can spread laterally across a network in as little as 18 minutes, gain administrator privileges, download sensitive data, and, if ransomware is their goal, encrypt systems. It happens very quickly, which is why organizations need the ability to detect and neutralize threats early.

Password Security Issues

Some of this content also comes from presentations I give directly to end users. One topic I always cover is password hygiene because it’s still a major problem. Back in 2021, PC Magazine conducted a survey that remains relevant today. About a quarter of respondents said they use the same password for everything. Another quarter said they reuse passwords for most things. That’s a significant issue because if one account is compromised, attackers will immediately try those same credentials against email, banking, payroll, and other critical systems.

Another common problem is using the same password for both personal and business accounts. If a personal password appears in a data breach and an employee falls for a phishing attack at work, that single password can become the starting point for a much larger compromise.

Business Email Compromise and Financial Fraud

Business email compromise is now far more common than ransomware. When attackers gain access to a mailbox, they can impersonate trusted individuals and persuade others to move money, change banking information, or reveal sensitive information. According to the FBI, billions of dollars are lost to these schemes every year, and cyber insurance carriers report that mailbox compromises account for the majority of claims they handle.

One example involved a former client in Eden Prairie. Their CEO received a phishing email asking her to reset her Microsoft password. She entered her credentials into a fake website, and the attackers captured them. They then bypassed multifactor authentication by stealing a browser session token—the small file that allows a trusted browser to remain authenticated for a period of time. With that token, the attackers gained access to her mailbox, monitored communications with the company’s bank, and eventually convinced the bank to transfer nearly half a million dollars. The company did not have cyber insurance, and even if they had, that type of loss is often difficult to recover through a policy.

We see variations of this every day. Another common scenario involves a vendor becoming compromised. Employees receive legitimate-looking emails from a trusted vendor and eventually receive a request saying the vendor has changed banks and future payments should be sent to a new account. Organizations lose billions of dollars each year to these schemes.

Last year, both the City of Baltimore and the City of Portland experienced incidents involving compromised vendors. In Baltimore’s case, approximately $1.5 million was transferred before anyone realized the money was going to criminals. Portland lost approximately $6 million. In both cases, employees approved banking changes without independently verifying the request.

The lesson is simple: never rely solely on email when banking information changes. Verify through a trusted phone number or another established communication channel. Do not use the contact information provided in the email itself.

This issue affects businesses of all sizes. We’ve seen multiple clients lose more than $100,000 because attackers inserted themselves into existing conversations using domains that differed from legitimate vendors by only a single character. The organizations weren’t responsible for the vendor being compromised, but they were responsible for lacking the financial controls needed to verify the request before sending money.

I’ve seen policies where this area was $25,000 or $50,000. Again, considering the average claim for finance fraud is about $150,000, those numbers need to be much higher. This is a good policy. Depending upon your industry and clientele, you should consider requiring your clients to carry cyber insurance. In other words, if something happens and they go through an incident, they could drag you into a lawsuit or bring you in as a co-defendant. You want to make sure they have cyber insurance so their policy can help cover the situation and make them less inclined to pursue claims against you.

AI Usage Policies and Risks

You also need to develop an AI policy. I don’t have a sample policy here, but I’ll send one later. Many of you already know that generative AI tools like ChatGPT, Gemini, and others often use conversations to train their large language models. About 90% of users rely on free AI tools, and that’s one of the tradeoffs. You’re helping train the model. Let everybody else do that. Let’s protect our own data.

If you’re a Microsoft 365 organization, use the business version of Copilot that comes with your Microsoft 365 subscription. It protects your conversations, doesn’t use them to train the public model, and keeps everything within your Microsoft 365 tenant. It’s private and secure. If you’re using free versions of tools like Copilot or Claude, many of them offer an opt-out setting that prevents your conversations from being used for training.

The people who built these systems don’t fully know what the future holds for all of this data. It ends up somewhere in hyperspace. Because of that, never input sensitive information, passwords, banking information, confidential information, or anything you wouldn’t want exposed. Substitute sensitive details with placeholders when you’re having conversations with AI.

AI Poisoning and Scams

There’s also something called AI poisoning. Let me give you an example of how bad actors are using it against us. They know people search for things like Microsoft’s support phone number, Adobe’s support number, and similar information. They’ll launch millions of bots and flood the internet with fake phone numbers that actually connect to scammers.

You ask an AI tool for Microsoft’s support number, and it may return the scammer’s number because that’s what it found online. That’s why you must verify contact information by going directly to the company’s website. If you call that fraudulent number, the scammer may ask for your credit card information or request that you read a code sent to your phone. That code is often your multifactor authentication code. Never provide it.

Password and Authentication Best Practices

Do not use generative AI to create passwords. These systems generate content based on patterns they’ve seen elsewhere. They are not true random password generators. Instead, use the password generation feature built into a password manager.

Use business-provided AI systems whenever possible, such as Microsoft Copilot or the business version of Gemini available through Google Workspace. Those environments are designed to be more secure. I would also recommend sticking with U.S.-based AI providers. Personally, I would not use DeepSeek because it’s based in China, and I have no idea what will ultimately happen with that data.

I also do not recommend deploying OpenClaw. It’s a very powerful open-source AI platform, but there are limited controls and boundaries around it. If an employee deploys it and connects it to internal systems, it becomes very difficult to manage and secure, particularly if you’re in a regulated industry.

Passkeys and Modern Authentication

I strongly encourage you to deploy passkeys. I’m giving you a little homework here.

What exactly are passkeys? Passkeys are passwordless authentication. Passwords remain one of the biggest reasons small security incidents become major breaches. Passkeys are largely phishing-resistant.

Let’s say I set up a passkey for my Amazon account using my fingerprint on this computer. That passkey is tied to this device. I can’t log in from another device unless I’ve specifically synchronized that passkey. If a scammer tricks me and says, “Hit your fingerprint so I can help you,” it still won’t help them because they don’t have my computer. Passkeys are incredibly effective.

There are some challenges. They require a little technical knowledge, and people need to get comfortable using them. Start practicing. When websites offer passkeys, try them. Use a biometric method like a fingerprint or facial recognition and synchronize your passkeys through a trusted password manager if available.

Real-World Security Incident Examples

I also wrote an article in my quarterly newsletter about passkey best practices. I encourage you to read it. If everyone used passkeys everywhere, it would save billions of dollars and make life significantly harder for cybercriminals.

Let me share a couple of real-world incidents.

Several years ago, we were onboarding a new client. One frontline employee clicked a phishing link. The attackers deployed a keylogger across the network, which is software that captures every keystroke entered on computers and servers. The malware remained active for four to six months before we discovered it.

We only found it because users were complaining about unusual pop-ups. There was actually a glitch in the malware. This particular client was a manufacturer, and every keystroke was being transmitted to China for months before we shut it down.

Why didn’t they deploy ransomware? Because ransomware wasn’t the goal. The goal was intellectual property theft.

Positive Case Study: Threat Containment

Now for a more positive example.

A client in Woodbury experienced a similar user mistake. Someone clicked a malicious link, and bad things started happening. Fortunately, they had an advanced detection and response solution installed. The affected computer was immediately isolated from the rest of the network before the threat could spread.

Ten days later, the FBI contacted the client and said they had observed one of the company’s computers communicating with infrastructure they were monitoring. The FBI noted that by that point, most organizations would already have been encrypted by ransomware. Instead, the threat had been contained within minutes.

That’s the type of protection every organization needs.

Security Tools and Best Practices

I encourage you to upgrade your detection and response capabilities. There are several products that do this, including Huntress, CrowdStrike, Sophos, and others. The important thing is not just detecting threats but automatically neutralizing them because attacks happen 24 hours a day. Most occur at two o’clock in the morning when nobody is watching.

For organizations that primarily manage security internally, the average time from detection to neutralization is approximately 16 hours. That’s far too slow.

Modern systems can respond in minutes. If someone logs in from Russia using your account, the system can immediately lock the account. If malware begins executing on a workstation, the system can isolate the computer before the threat spreads.

Every organization needs this capability. Cyber insurance carriers increasingly require it.

Email Security and Training

I also encourage you to improve your email security. Most organizations rely solely on Microsoft’s or Google’s built-in filtering. We’ve seen more malicious emails getting through recently. A second layer of email security can dramatically reduce risk.

Security awareness training remains important as well. There’s been debate within the cybersecurity community about whether monthly training is effective, but a large study last year found that organizations conducting ongoing awareness training experienced significantly better outcomes than those that didn’t.

Cyber Insurance Guidance

Now let’s talk about some questions leadership should be asking IT.

Don’t assume your IT team has everything covered. Trust, but verify.

Ask questions like:

Where are we most at risk?
Show me the results of our most recent security risk assessment.
How are our backups protected from deletion or modification?
How do we neutralize critical alerts 24/7?
How do we protect user identities?
What’s our strategy for defending against AI-related threats?
What are the gaps in our cyber insurance coverage?
How quickly can we recover from a serious attack and return to normal operations?

Homework and Action Items

For finance professionals, remember that these scams can affect personal finances just as easily as business finances. Someone can pretend to be your internet provider, your utility company, or your municipality and send fraudulent payment requests. Always verify payment changes through another channel.

I’m going to send everyone additional materials, including a checklist. Review it carefully. Print it out if necessary. Discuss these topics with younger family members and elderly loved ones, because they are often the groups losing the most money to scams.

Closing Remarks

Finally, I’m offering free cybersecurity assessments. These are typically 45-minute meetings where we review your cybersecurity posture, cyber insurance, and AI policies. I do these regularly because it’s my way of helping protect the small business community, their employees, and their clients.

As we wrap up, remember this: at some point, all of us learned how to manage money. In 2026, cyber awareness and privacy protection have become equally important life skills.

Please review the materials, share the checklist with your loved ones, especially those who may be vulnerable, and complete the homework.

Thank you very much.