One Click Won’t Kill You, But….
7–28–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, July 28, 2025, and it’s time for a bit of a reality check.
One Click Won’t Kill You, But…
There is a BBC article making the rounds that carries this headline:
“Weak password allowed hackers to sink a 158-year-old company”
The article details KNP - a Northamptonshire transport company - that was running a fleet of 500 trucks when they were hit by the Akira ransomware gang in 2023.
The article goes on to say ”The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.”
It even offers a quote that I think is aimed to be sympathetic, where “KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.”
But the truth is, that wasn’t what led to it. That may have been the straw that broke the camels back, or the initial compromise vector, but - as always in cyber, there’s more to the story.
Where were the phishing protections?
How about the training to help users identify and report these types of emails?
What were the multi-factor authentication requirements, limiting the impact of a breached credential?
How were endpoints being protected and monitored - a modern EDR platform with 24/7 coverage and auto-isolation?
Was network segmentation in place across the enterprise to limit the blast radius of malicious activity?
How were backups configured - off-line and airgapped? Regularly run? Tested?
Any (or all) of these controls would have reduced the impact of that click, that exposed credential, or any of the other cascading failures that ultimately led to the downfall of this company.
And that’s the lesson we should takeaway here - these are systems failures, not the failure of an individual employee. If your enterprise can go under with a single credential compromise, you haven’t built enough resilience.
It’s curious to me that there’s no mention of the other controls that were in place beyond the mention that they were “industry standards” (which, by the way, really aren’t a thing). Also, why didn’t that cyber insurance policy help you out? Again, there’s always more to the story, but the moral of this particular story is that we need to work to build robust technical, administrative, and physical controls to build a resilient enterprise that can withstand the threats and risks we can all reasonably anticipate in 2025 and beyond.
Fundraising
A quiet week where I didn’t see any fundraising announcements. Doesn’t mean they didn’t happen, but just that they weren’t newsworthy enough to cross my desk. Even fundraisers take vacations!
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links