Note : the picture is from the OSMEGEOS exhibit at the Hirschhorn Museum and Sculpture Garden exhibit in Washington, DC, July 2025. In May and then June we covered the  litany of the hacked , a group of entities that had been successfully hacked. The point of these litany posts is to note that this sort of thing happens and it has consequences. Pretending that you can whistle past the graveyard in cyberspace is foolish and delusional. And so, the litany of the hacked, July 2025 edition. The litany now includes: Aeroflot Airlines...Qantas Airlines...Allianz Re insurance...Rogers Communications...Tea (women-member-only date-rating site)...Elmo's account on the platform X...Microsoft's SharePoint servers... McDonald's  hiring  process assistant chatbot...CoinDCX crypto exchange...maybe the government of Singapore...City of St Paul, MN...pharmacies in Moscow, Russia... These different hacks had different purposes. Getting a Sesame Street character to spout anti-Semitism and ...

We have had multiple posts on creating impact as a CISO or an IT professional. Ultimately you won't get the impact you need to have, and professionally want to have, unless you get the attention and trust of higher-level leadership. Not having impact means you won't get the funding you need for systems or professional development, and your career may stall. We keep up with other professionals in cybersecurity, and this recent post by Ashley Rose caught our attention. Here is a part of her post that we whole-heartedly endorse, and she says it well: [M]any chief information security officers (CISOs) still find themselves speaking a technical language that fails to resonate with other leaders. Technical terms often fall flat in boardrooms more concerned with revenue growth and brand reputation. This disconnect is becoming increasingly risky as cyber incidents now directly affect stock prices, customer trust, and executive job security. Plus, boards are being held accountable a...

We're going to talk very low-tech cyberattacks. This is a story that caught our eye last week: "Bleach maker Clorox said Tuesday [22 July 2025] that it has sued information technology provider [company name withheld here] over a devastating 2023 cyberattack, alleging that the hackers pulled off the intrusion simply by asking the tech company’s staff for employees’ passwords. Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom. The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider’s hackers was able to repeatedly steal employees’ passwords simply by asking for them." The hackers -- it should be noted, this is a sophisticated gang -- allegedly called the help desk for Clorox's cy...

Some things in artificial intelligence (AI) that people ohh & aahh about include the use of AI to create fake videos, write research papers, fly fighter jets, perform surgery , act as 'digital twins,' and otherwise do things that we thought only skilled sentient beings could do. That's amazing because after all AI is math, it can't prefer to do some things instead of others, and it has no way to want to do things -- it just does them. These creative uses of agentic robot features have made an impression on gangs using AI agents to engage in deception to attack cybersecurity systems.  At a very low level of a deception-based attack, the AI mimics the characteristics of a known/trusted individual and seeks access to systems that the known/trusted person should have. That's what  this post  is about.  Now, of course we've always had deception. That's the whole point of the term " Trojan horse ." That's how Lucifer breaks out of hell in the epi...

  A recent Wall Street Journal (WSJ) piece, "Hackers are targeting eldercare homes" (link here behind paywall), described successful cyberattacks against assisted living facilities. Anyone with a loved one in one of these facilities knows that, to put it bluntly, elderly people are bad at updating their security settings.  What lessons can be drawn for CISOs and CIOs of any organization?  Pythia Cybersecurity co-founder John Sebes had these thoughts about the WSJ piece and its implications. His conclusion: you have more to learn from these attacks than you think you do; will you learn anything? John's take: The elder-care services sector is the latest business sector that's being targeted by cyber-criminals, and reported on by new media including the WSJ. But both experience of the attacked businesses and the news commentary on them hold valuable lessons for any business that might need a cybersecurity upgrade. Like many organizations, all the attacked businesses t...

The long-running joke in consulting is that there is better, cheaper, and faster -- pick two.  I admit that I have muttered this same line in my consulting career. All consultants know that clients at times try to get more than what is specified in the contract -- sometimes unintentionally by for example not understanding the contract. Sometimes clients intentionally try to get more than bargained for, faster, or for less; unfortunatley that puts everyone in Alice's Wonderland . The Internet and television dramas, especially medical dramas, have exacerbated this problem. People believe that they can expect delivery overnight and that executing a project or getting results happens before the commercial break, certainly by the end of the two-part episode. We also all understand that this is not reality. But believing things that are not real are in fact real is a human thing, also known as a cognitive bias . Cybersecurity requires better, cheaper, and faster. But wait you say, we jus...

Fear and uncertainty and dread sell.  You have a lot to fear, there is always uncertainty, and therefore you dread. It's how your brain is wired. Don't fight it. Instead, manage it. Let's think about this from a cybersecurity perspective. Leaders or managers : Does your company have business dealings regarding socially controversial products (e.g., guns or alcohol or tobacco)? Does it have supply chains or significant exposure in "global hot spots" ( Eastern Europe , "blood diamonds," use of potential child/slave labor, rare-earth minerals mining, or gas pipelines over tribal lands)? Does your company publicly support political causes/candidates? If so, your company can be targeted by people who are against that -- whatever that is. Investors : Does your model involve disrupting or closing business? Do you do business with countries with less than stellar reputations for, you know, human rights, etc.? If so, your company can be targeted by people who a...

(This post is the fourth in a series of four; the first post is general and the other posts are each directed at different roles:  general ,  CEO , CISO .) This post is directed at anyone tasked with assess a potential investment or acquisition. Once upon a time, Mergers & Acquisitions were the province of MBAs, with the occasional domain expert. Now it is hard to image effective Due Diligence without a hefty cybersecurity component. We provide that component.We give you same kind of assessment and assurance in the cybersecurity domain that has long been standard in the finance domain. Pythia Cyber gives you much more than the usual letter grades on a "cybersecurity report card." We show you where the prospect is on a cybersecurity continuum and estimate what it would take to elevate their cybersecurity to whatever level you deem to be an appropriate investment. Our secret sauce is that we have a behavioral string to our bow: cybersecurity is as much about human behavior ...

(This post is the third in a series of four; the first post is general and the other posts are each directed at different roles:  general , CEO ,  Investor .) This post is directed at you, the CISO or part-time CISO or fractional CISO or CTO or CIO or CISO or whatever your organization calls the person heading up cybersecurity. Why would you hire Pythia Cyber and if you did, what would you get for your money? What sets Pythia Cyber apart in the cybersecurity consulting space is that we have two areas of focus: classic cybersecurity and behavioral cybersecurity. We are structured this way because there is a large behavioral component to cybersecurity. In fact, there are two such components: the behavior of colleagues when they are users of technology and the conversations you should be having with senior management about cybersecurity. It is likely that your career before you got this job did not prepare you either to influence people you do not directly manage or to frame this...

(This post is the second in a series of four; the first post is general and the other posts are each directed at different roles: general ,  CISO ,  Investor .) This post focuses on what Pythia Cyber sells to the CEO (and other members of the C-suite). In order to keep this description of what we do as concrete as possible, let us first define the goal that our services exist to reach: a rigorous and formal cybersecurity program (CSP) based on the  NIST CSF . More specifically, we mean a CSP that does the following: Extends Risk Management into the cyber domain ID assets, risks to assets, policies for risks, procedures for policies Links senior management to cyber defenders in a formal way Management priorities (time and money) flow downward Monitoring results flow upward Ensures that the Incident Response Plan is updated and validated As a senior manager, you have two roles in the CSP: You validate the list of cyber assets and the priority of their protection. You overs...

(This post is the first in a series of four; the other posts are each directed at different roles:  CEO ,  CISO ,  Investor .) Because Pythia Cyber does not fit into any standard management consulting box, we are often asked exactly what it is that we are selling. The answer to that question is much clearer if we answer another question first: to whom are we selling? We are selling to you if you have a vague feeling that you know you should be doing more in the way of cybersecurity, but you don't know what that would be. We are selling to you if you feel the ice getting a bit thin under your feet, but you are overwhelmed by the options. Maybe you are a relatively new organization that has put off getting serious about cybersecurity a bit too long. Maybe you are a growing organization that has prioritized growing over cybersecurity for a bit too long. However you got here, here is where you are: you need to take the next step but you do not know enough to know what the ne...

One of our founders has been keeping track of who gets hacked in his on-going series " The Litany Of the Hacked ." As he intended, this series has made me think more about who gets hacked and why. So I was horrified recently to hear a fellow cybersecurity professional describe his planned response to a theoretical ransomware attack as "ask the Board whether or not they want to pay it." He viewed this as a moral question for management, not a technical question to be addressed by his own Incident Response Plan. To my on-going horror, it is true that paying your way out of a ransomware attack is probably legal, depending on where you operate and some other circumstances. To quote the FBI themselves: The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in thi...

We talk a lot about cybercrime but what, really, is it? The rubric included above comes from a May 2025 report from the (US) National Academies of Sciences, Engineering, and Medicine. You can find the report  here .  You should care about this rubric for three main reasons. There is a bonus reason we will also discuss. First, cybercriminal gangs, much like anyone or like position players on a sports team, have specialties and they get better at their specialties . For example, gangs specializing in identity theft are not the people who are engaging in acts against people such as cyberbullying. Reporting incidents to the authorities should be done along the lines of this rubric, and reporting incidents should also use this rubric, so that security specialists know how to prepare. Second and related, you should care because you can organize your security processes and mitigation plans in terms of these types of risks: acts targeting machines or systems, acts targeting property, ...

Maybe you read a piece in the news last week about an AI-based system that mimicked the voice of the US Secretary of State, Marco Rubio, and contacted leaders around the world via calls and texts. Ha ha, you say. As if. No one would do that to me, I'm not the Secretary of State. You could be next. We hear from executives that the most frequent attack they face is someone using the credentials of a trusted insider who tries to get money. It's easy to spot this when it's in an email. Are you prepared for a robot calling or texting you, sounding like a trusted insider, asking for money or some other action? Your cybersecurity team needs to be able to prepare for that eventuality, because it will be an eventuality.  This article  explains how to prepare. As a leader, you need to believe that your systems are being attacked even if "nothing happens." It's happening right now. Just because you didn't hear about it from the audit committee doesn't mean it di...

Super-sized sigh... We just ran a series of four fantastic posts on passwords. Read each of them . And just like that --  McDonald's apparently had an AI-enabled employment application system. And yep, that's right: its password was 123456. So many angles on this, let's review five: 1. It doesn't matter how much technology you have, employees will make the system easier for them to use . That's how you get passwords such as 123456. And that's why we focus on behavioral cybersecurity. 2. The AI application did not flag the password . If you say, well, why would it, I reply: technology is a tool and its functional parameters are very narrow, which is why we need to have people in the loop who are savvy about security parameters. 3. There are bad cyber-actors out there looking for vulnerabilities . In this case, it was the clan of the Hamburglar . (Sorry. Sort of.) Remember, though: this is gang activity . 4. Leaders need to be clear with their security staff th...

One of my colleagues here at Pythia Cyber has begun a series of posts about specific news items. For instance, here is his collection on the current role that passwords should play in your cybersecurity both as a user and as a manager in a company with public-facing computer assets. There is also a series coming on social engineering. He does a great job of explaining the particular significance of these items, which has inspired me to comment on the general (in)significance of these items. Because that is the unpleasant truth about news coverage of cybersecurity: all too often the coverage falls into one of two categories of useless: fear-mongering and advertising. To me, fear-mongering (and its cooler younger sibling, click-baiting) is reporting on something that seems bad without establishing proper context and without providing any kind of solution. The "16 Billion Passwords Leaked!" headlines all too often were followed by breathless descriptions of this giant trove of ...

This post is the fourth in a series of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The first post in this series is  here . The second post is  here . The third post is here . So far in this series we’ve covered weaknesses in passwords as a login strategy, and the importance of Multi-Factor Authentication (MFA) to provide a safety net. Now that we have MFA in place (you turned it on after reading the last post - right?), let’s talk about how to use passwords effectively. We mentioned before that you shouldn’t reuse passwords. Your...

This post is the third in a series of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The first post in this series is  here . The second post is  here . The fourth post is  here . If passwords aren’t strong enough to identify a user as really that user, what are we to do? One idea is to check who the user is, in more than one way. This is called Multi-Factor Authentication, and it’s becoming pretty widespread. “Authentication” is what security professionals call the process of verifying that a user is who they say they are,...

This post is the second in a series  of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The first post in this series is  here . The third post is  here . The fourth post is  here . When the idea of computer passwords started, it seemed pretty simple: a secret word that you know, but no-one else does, could identify you as who you are. But people also use computers for spell-checking, which involves creating dictionaries of all the known words. It doesn’t take long to realize that plugging each word of the dictionary into th...

This post is the first in a series  of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The second post in this series is  here . The third post is  here . The fourth post is  here . Recent news articles, like this one , have described a database of 16 billion (with a “B”!) passwords stolen from major online companies like Apple, Google, and Meta (Facebook). This sounds like a major hack, and the end of passwords for security. On closer analysis, the news is both better and worse than that. Let’s look at why, and what we shou...

In May we covered the litany of the hacked , a group of entities that had been successfully hacked (such as my dentist).  The point was to note that this sort of thing happens and it has consequences. Pretending that you can whistle past the graveyard in cyberspace is foolish and delusional. Then came the early June extension of the litany. Newly enrolled members in the US and UK included brand-forward retailers. Retailing has features that make it more susceptible to hacking, true enough. And now: the litany of the hacked, June 2025 wrap-up edition. The litany now includes: Columbia University...United Natural Foods...Aflac...Erie Indemnity...Philadelphia Insurance...International Criminal Court...The Washington Post...Hawaiian Air...WestJet...various financial institutions inside the Islamic Republic of Iran... OK the last one is an anomalous situation but the other organizations were brought to heel to various extents just inside one month. Question: do you think they had annua...

This recent report  on how criminals used people's stolen identities to defraud the US healthcare system of $10.6 billion deserves your attention. Here is a key part related to cybersecurity ( emphasis added ): "Those involved in the fraud bought dozens of companies that were accredited to submit claims to Medicare and the program’s supplemental insurers, prosecutors say. Then, using personal information stolen from more than a million Americans , the defendants filed billions of dollars in claims for equipment that had not been ordered by people enrolled in Medicare and was not delivered to them, according to the indictment." For context, the story mentions that a previous gang in 2019 defrauded the US healthcare system of $1 billion, which was considered a lot at the time. And if you need more context, a completely unverified and unaudited "cost savings" identified in the US by the DOGE process in 2025 was $180 billion. (Full disclosure: my AI engine claims th...