Securing Your Humans
12–8–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 8, 2025, and while we’ve been talking a LOT about AI lately, it’s important to remember the human side of the equation.
Securing Your People
We talked last week about how people were putting all sorts of sensitive information onto websites that could lead to further exposure of their organization’s sensitive systems and data.
This week, we saw a news story with quite a headline:
“Contractors with hacking records accused of wiping 96 govt databases”
The article, from Bleeping Computer, outlines how two brothers in Virginia have been charged with “conspiring to steal sensitive information and destroy government databases after being fired from their jobs as federal contractors.”
While that’s not great, what’s really not great is that both of these twin brothers were previously “also sentenced to several years in prison in June 2015, after pleading guilty to accessing U.S. State Department systems without authorization and stealing personal information belonging to dozens of co-workers and a federal law enforcement agent who was investigating their crimes.
Muneeb Akhter also hacked a private data aggregation company in November 2013 and the website of a cosmetics company in March 2014.”
The article writes that “After serving their sentences, they were rehired as government contractors.”
Obviously, we have a failure of multiple controls happening here. The contractor clearly didn’t do enough work in their background check process to identify the multiple indictments before - which can be easily found by just googling their names, as the DoJ press release is still live.
But beyond that, there obviously was a lack of control effectiveness with regards to their internal operations - how were these two people able to move around the environment and make these sorts of changes. Clearly we weren’t applying the principles of least privilege, nor were we using separation of duties in managing these databases.
96 databases is a lot of databases to just get deleted with nobody doing their root cause analysis and finding out that it was one of these two accounts doing the deleting.
I raise this issue not only because everything about it is ludicrous (which is true), but because it pairs nicely with an interesting bit of information coming out of the UK’s National Cyber Security Centre (NCSC) noting that “large language models may never be fully protected from “prompt injection,” a growing type of cyber threat that manipulates AI systems into ignoring their original instructions.”
The writeup notes that “many security professionals mistakenly assume prompt injection resembles SQL injection, a comparison he argued is “dangerous” because the threats require different approaches.”
Indeed, this is really similar to securing the humans - if you can get an LLM to act in a way that’s potentially malicious, you need to put controls in place that limit its ability to do damage (intentionally or unintentionally) to your systems in the same way that you would limit a human.
While I don’t have time in this video to parse out the nuance of managing LLMs vs. managing humans (and would note that I’m always, always, always going to be on the side of the humans in these debates), there’s lots of corollaries that can help us continue to make informed decisions about how we keep the balance between productivity and security in the way we use these technologies.
As always, it’s the basics we’ve got to get a handle on first, before we try to get fancy. Otherwise, we’re just asking for trouble.
Fundraising
From a fundraising perspective, another quiet week, with only about 2.2B in newly committed capital. Lots of announcements that funds are targeting large amounts, but on this channel we only count what’s committed.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.justice.gov/opa/pr/two-virginia-men-arrested-conspiring-destroy-government-databases
https://therecord.media/prompt-injection-attacks-uk-intelligence-warning