Bigger Companies Have Better Cybsersecurity...Don't They?

We're going to talk very low-tech cyberattacks.

This is a story that caught our eye last week:

"Bleach maker Clorox said Tuesday [22 July 2025] that it has sued information technology provider [company name withheld here] over a devastating 2023 cyberattack, alleging that the hackers pulled off the intrusion simply by asking the tech company’s staff for employees’ passwords.

Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom. The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider’s hackers was able to repeatedly steal employees’ passwords simply by asking for them."

The hackers -- it should be noted, this is a sophisticated gang -- allegedly called the help desk for Clorox's cybersecurity providers and, posing as Clorox employees, acquired passwords.

Yep.

Presumably there is a lot more to this story than what we read in the news version, and the situation is part of ongoing litigation. 

Here are several points about cybersecurity that are worth highlighting:

As we state repeatedly, spending more money on cybersecurity does not mean you have better cybersecurity.

Again as we have stated before, gangs have specialists in different methods. The fact that calling to ask for passwords was the alleged process indicates that maybe this was an initial attack or maybe they were tipped off to this method by insiders. Your company is always under attack, after all.

Having an AI-based cybersecurity system does not mean that you have the right cybersecurity system.

The 'hottest thing in AI' is not the only thing that's hot: so is, apparently, posing as a human and duping people who completed mandatory security training (and how did that training work out?). In aggravation how many calls to the help desk are we talking about? Dozens? Did anyone have a process for tracking that?

You don't need a bright shiny cybersecurity object. You need a repeatable cybersecurity process that is verifiable.

Ask us how we can help you prevent these sorts of situations before you need to clean up after them.