Scott's Human Cyber Security Insights for June 20, 2025
Scott Wright, CISA
Canadian Leader in Cyber Education | Speaker | Podcaster | Co-Founder/CEO at Click Armor | Helping build confidence and resilience through engaging, interactive training
Hello, Cyber Champions! 🚀
Welcome back to Human Cyber Security Insights. In today's issue, we’re covering:
⚡ The Nova Scotia Power breach and public response
🎯 A new blog on role-based targeted phishing
🎥 CSAF #58 session recording: Shadow IT & shortcut risks
📉 Using layoffs as phishing test bait?… the worst thing I can think of
1) Cyber in the News: Nova Scotia Power learns a lesson in incident response
Nova Scotia Power has confirmed an April data breach that occurred after threat actors accessed customer information in an attack discovered last month.
What you need to know:
But what’s just as notable? The public reaction. The region of Cape Breton saw lines out the door for an in-person breach information session by the utility. That kind of turnout shows just how crucial it is to connect with your community post-breach for recovering brand trust and reputation. (Or even better, why not connect beforehand, to show responsible governance and retain confidence in the case of an eventual breach?)
Delayed timelines, vague answers, and the feeling of being kept in the dark all contribute to erosion of trust. The lack of preparation for handling logistical issues in the case of a breach, such as public meetings, is an indicator of potential management gaps that may have contributed to the breach itself.
If an organization is proactive enough to conduct Table Top Exercises (TTX), they can uncover those gaps in communication and decision-making before an incident occurs. If you'd like to discuss how TTX's work, please reach out to me.
2) Click Armor Blog: Role-Based Targeted Threats
Traditional training often misses the mark for one reason: not everyone is targeted equally.
Our latest blog explores the growing trend of role-based phishing attacks—including a case study on how a CFO needs to understand many more phishing message scenarios than you could effectively cover with traditional phishing tests. There's really a better way, which includes both immersive, virtual phishing simulations, as well as live, AI-based deep-fake attack examples.
If you’re building awareness programs that treat every role the same, this is a must-read.
3) ICYMI: Educating employees on shadow IT and risks from taking tech shortcuts
This week’s Cyber Security Awareness Forum tackled the sneaky risks of Shadow IT and everyday tech shortcuts.
From rogue productivity tools to browser extensions with hidden risks, our panel covered:
Here's a short clip with insights from Christopher R. McKay about one of the great benefits of training employees about cyber security risks.
🎥 Watch the full recording HERE.
NEXT Session: July 9th at 1pm ET.
NOTE: The next CSAF session (#59) will be on "Understanding, selecting and communicating an AI governance model for your organization" with a special guest panelist Garret Grajek from YouAttest.
You can register for this session HERE.
4) Rottenphish: Using layoffs as phishing test bait? ... The worst thing I can think of.
Simulating layoffs as phishing test bait crosses an obvious ethical line. It’s not just bad taste; it damages culture, triggers anxiety, and can actually make good people not want to work in your orgnaization.
This X user is a perfect example of what the employees start to think about, when their IT team uses sensitive scenarios that affect them personally, to try to trick them: "I hate it here".
Reminder: Your goal is to educate, not emotionally manipulate. Fear-based simulations rarely lead to meaningful learning—and they’re a fast way to lose your team’s trust.
The most common thing that live phishing tests teach employees is to be paranoid. But while we do need to make sure people know they can be a target -- no matter what their job is -- there's no need to alienate employees just to make this point.
What becomes more important in the long run is making sure employees know how to spot today's increasingly complex attacks. This means teaching them in an environment that is conducive to learning; where they understand why protecting the organization's information assets is so important, and what their role is in doing that.
Increasing the frequency of phishing tests doesn't do this at all; and phishing tests don't really present a "teachable moment" about which clues to look for. Once the adrenaline kicks in, you've lost any ability to learn about subtleties.
About Click Armor®...
Click Armor, The Employee Cyber Confidence Builder™, helps teams engage their employees in cyber security awareness and other, role-based security training content.
Click Armor is proud to be THE ONLY CANADIAN COMPANY that offers effective, flexible interactive training solution designed to provide engaging and effective foundational and remedial cyber security training for both compliance and risk management.
We have a full range of off-the-shelf, easy to deploy foundational courses, assessments, and microlearning modules that are all gamified with interactivity and visually dynamic content that motivates staff to focus and improve their skills.
Click Armor helps make sure employees are ready for live tests and real-world attacks through our unique, immersive exercises that are all designed to build employee enagement and readiness.
Click Armor provides a unique form of engaging and educational learning, where employees can experience realistic cyberthreats in a positive and inclusive environment.
You can experience it yourself with our 3 minute "Can I Be Phished?" self-assessment HERE.
Make sure you are using the right tools to build a cyber confident culture, with a strong, positive and inclusive security training program.
If you'd like to see a quick demonstration of how Click Armor can be a key part of your human risk management program, check out this narrated video HERE.
Learn more and book a call the Click Armor website at: https://www.clickarmor.ca
Remember: Engaged employees reduce risks.
Cyber Awareness | Advisory Partner | Creative Solutionist Provider
1moAny modern organization should use AI-based training and simulate deep-fake attacks. Too many still rely on generic e-learning and quarterly simulations designed mainly for compliance, which lack real educational value. While basic awareness may increase, these programs don’t lead to lasting behavior change or deeper understanding. Training must be practical, tailored, interactive, and continuously reinforced in the real work environment, not a one-sided task done in isolation. If the technical design is poor, security measures invite shortcuts, and employees can easily claim plausible deniability. Training becomes an obligation, something to endure, not absorb. Awareness is an input, but organizations often confuse absorbing information with actual learning. True learning requires ongoing dialogue, communication, and employees must trust that leadership treats them not as checkboxes but training as a genuine priority, and doesn’t reduce it to cartoons, that too often fail to respect the learners.