Security

cat, nature, kitten, pet, pets, animals, housecat, feline, animal, sitting, funny, cute, adorable

CMMC – How to Start

standard method is to find the big spreadsheet of controls, and then start marking it up. This approach makes perfect sense, but as you work through, it quickly becomes unwieldy.

Not every control can be completed by the same team.

They request “evidence,” but what in the world do they want to see?

How are we to convert generic controls into actionable requirements?

What does “good” look like?

How do we know if what we’re doing will pass an audit?

If you’re asking yourself these questions, you’re not alone. In fact, what starts as a spreadsheet with a long list of controls, quickly turns into multiple sheets, and additional documents with policies and procedures. And when you dig into what the auditors are looking for, they are looking for multiples things, for each control.

CMMC – How to Start Read Post »

alohasara a 3d animated sea captain looking confused as he fi 006a4eea 8e7e 4d30 9be6 22b3c022f221 0

You Enabled What? The 30-Minute AI Audit Your Business Should Do This Week

If you read my last post about the Workday lawsuit, you probably had one of two reactions.

The first reaction: “Interesting case. Glad that’s not us.”

The second reaction: “Wait. What’s actually running in our stack?”

If you had the first reaction, I’d gently encourage you to read it again. If you had the second — good. That instinct is exactly right, and this post is for you.

The uncomfortable truth is that most small and mid-sized businesses have AI features active in their software that nobody deliberately approved. Not because anyone did anything wrong. Because these features are being added quietly, bundled into updates, tucked behind toggles in admin screens that nobody checks between quarterly reviews.

You Enabled What? The 30-Minute AI Audit Your Business Should Do This Week Read Post »

comical 3d animal pressing red button

Someone Clicked a Button. Now There’s a Lawsuit.

Somewhere in 2022 and 2023, Derek Mobley was doing what a lot of people do when they’re job hunting: applying. A lot. Over 100 applications, by his account, sent to companies that all had one thing in common — they used Workday to manage hiring.

He didn’t get the jobs. What he alleges is that he didn’t get them in part because an AI system was evaluating his applications and filtering him out — based, he claims, on his race, age, and disability status.

What happened next is where it gets interesting for anyone in IT or Security.

He didn’t just sue the companies that rejected him. He sued Workday.

Someone Clicked a Button. Now There’s a Lawsuit. Read Post »

dog, pug, nature, animal, pet, puppy, funny, cute, canine, funny dog, doggy, small, adorable, funny animals

The Art of Social Engineering

The warmth is the setup. The ask is the payload. Every social engineer worth their salt knows you don’t lead with the thing you want — you lead with connection. A shared laugh about a dog, a commiserating comment about kids, a moment of genuine-feeling human warmth. By the time the ask comes, you’re not talking to a stranger anymore. You’re talking to Dave.

When someone creates urgency and rapport in the same phone call, that combination should set off a quiet alarm in the back of your head.

The rule is simple: if someone calls you, hang up and call back on a number you find yourself. Your bank’s number is on the back of your card. Apple’s is on their website. The IRS doesn’t call you — they write letters, like it’s 1987, because that’s apparently still how they do things.

The Art of Social Engineering Read Post »

Cute otter sitting among vibrant foliage in England. Perfect for wildlife and nature themes.

I’m Not in IT or Security – Why Should I Care?

Big companies have security teams, monitoring tools, incident response plans, and lawyers. You have the same password you’ve been using since 2014 and a router you’ve never logged into.

I’m not saying that to make you feel bad. I’m saying it because it’s the single most important thing to understand about modern cybercrime: scale beats sophistication every time. Why spend weeks trying to break into a bank when you can send a convincing text message to a million people and wait for a few thousand of them to click?

You are not too small to matter. You are too easy to resist.

I’m Not in IT or Security – Why Should I Care? Read Post »

fish tank

The Fish Did It!

The lobby aquarium had an internet-connected thermometer — so staff could monitor the water temperature remotely, presumably from the couch, as one does. Attackers found it, used it to pivot onto the network, located the High Roller database, and walked out with 10GB of data. Through. The. Fish. Tank.

Now here’s the part that should actually keep you up at night: that thermometer is basically your printer.

And your smart refrigerator. And your kid’s drone. And the Star Wars toy that connects to the internet for reasons nobody fully explained. And the microwave that plays Spotify, because apparently we decided ovens needed WiFi now.

The Fish Did It! Read Post »

frogs, yoga, figure, nature, animal, green, cute, fun, funny

Demystifying CMMC: Why It’s Not About Compliance—It’s About Growing Up Your Security

CMMC Isn’t the Threat—Your Security Debt Is. You shouldn’t be adopting CMMC because the DoD demands it.
You should be adopting it because your business deserves not to be the lowest-hanging fruit in the industry.

CMMC is not about auditors. It’s not about paperwork. It’s not about passing a test.

It’s about adopting the minimum baseline of maturity required to operate safely in a world where attackers don’t care how big you are—just how easy you are.

Demystifying CMMC: Why It’s Not About Compliance—It’s About Growing Up Your Security Read Post »

cat, animal, ceiling, hide, pet, cute, naughty, funny

The Six Pillars of Good Security: What SMBs Need to Get Right Before It’s Too Late

Attackers aren’t looking for the hardest target. They’re looking for the easiest one.

SMBs don’t need perfection.
They need visibility, identity security, system hygiene, vendor accountability, resilience, and culture.

Master these pillars and you stop being an easy target. Ignore them, and you are betting your future on luck.

The Six Pillars of Good Security: What SMBs Need to Get Right Before It’s Too Late Read Post »

A curious meerkat emerges beside a 'Keep Out' sign, Stockton-on-Tees zoo.

The Weakest Link: Five Real Breach Stories That Should Keep Every Computer User Alert

Cyberattacks rarely begin the way people imagine. Not with cinematic hackers hammering on keyboards, but with something far more ordinary—and far easier to overlook. As admins, you’ve been handed powerful access, and with it, a responsibility that can’t be overstated. This post pulls back the curtain on how real-world breaches unfold, why they happen, and what they can teach us about the quiet vulnerabilities inside every organization. Take a moment to explore how small lapses can lead to massive consequences—and how simple discipline can prevent them.

The Weakest Link: Five Real Breach Stories That Should Keep Every Computer User Alert Read Post »

Scroll to Top