Cyber Security

Why Human Habits Are Your Biggest Security Risk

Why Human Habits Are Your Biggest Security Risk

Most cyberattacks do not start with a sophisticated intrusion. They start with a click on a personal email, a reused password, or a file uploaded to a familiar cloud service because the approved option felt slower.

The Verizon Data Breach Investigations Report found that 68% of breaches involve the human element. 

Not a zero-day exploit. Not a brute-force attack on a hardened system. Human habits, in the course of an ordinary working day.

For businesses running cloud-based workflows across multiple devices, the personal and professional overlap is now the rule. Understanding where that overlap creates risk is no longer optional. It is a core part of modern security strategy.

Read More »
What is Passkey Migration and How Can It Help Your Team Eliminate Passwords?

What is Passkey Migration and How Can It Help Your Team Eliminate Passwords?

Your team locks everything down with passwords. Some are strong, some are not, and most have been reused somewhere over the years. Every month, IT fields reset requests. Every year, the same breach reports list stolen credentials as the leading cause.

There is now a more effective path, and it does not require users to memorise anything. 

Passkey migration is the process of moving from traditional passwords to passkeys: a form of phishing-resistant authentication that uses your device’s built-in security instead of a shared secret. 

It is practical, it is already supported by most major platforms, and the business case is hard to argue with.

Why Passwords Are Still the Biggest Risk

Passwords have had sixty years to prove themselves. The data tells a consistent story.

More than 80% of data breaches involve compromised credentials, a figure that has remained consistent year after year, according to the Verizon Data Breach Investigations Report.

The underlying problem has not changed: passwords are shared secrets that must be stored somewhere, and secrets that get stored eventually get stolen.

Multi-factor authentication (MFA) reduced that risk significantly and remains an important baseline. But SMS-based codes, still the most common form of MFA, have a known weakness. 

Modern phishing kits can intercept a one-time code in real time: a convincing fake login page captures both the password and the code, and uses them on the real site before the session expires.

Phishing-resistant authentication closes that gap by design. Passkeys make it technically impossible for a fraudulent page to trigger login on your real device, because the credential is cryptographically bound to the legitimate domain.

Read More »
The “Zombie” SaaS Audit: Finding the 3 Apps Your Former Employees Still Access

The Zombie Account SaaS Audit: Finding the 3 Apps Your Former Employees Still Access

Someone leaves the company on a Friday. By Monday, their email account is disabled, and their laptop is back in the pile.

What nobody checks is their login to the project management tool they signed up for in Q3, the cloud storage folder they shared with a contractor, or the CRM access they still have from two roles ago. 

Three months later, those sessions are still active.

This is how zombie accounts form. nNot through negligence, but through an offboarding process built around corporate IT assets that no longer reflects how people actually use software. 

The average company now runs more than 100 SaaS applications. Most offboarding checklists were written when there were three.

What a Zombie Account Actually Is

A zombie account is an active login that belongs to someone who no longer works for you. The name is informal. The risk is not.

What makes zombie accounts particularly dangerous is that they are valid credentials.

There is nothing to detect. The access was granted intentionally, and the system has no reason to question it. If a former employee walks back in through that door, or if their credentials are compromised after they leave, the access is there waiting.

Industry research finds that 50% of organisations have discovered former employees still accessing SaaS applications months after their departure date.

For most of those organisations, the discovery was accidental rather than the result of a deliberate audit.

Read More »
Is Your Invoice a Deepfake? Securing Your Accounts Payable Process Against Voice and Email Cloning

Is Your Invoice a Deepfake? Securing Your Accounts Payable Process Against Voice and Email Cloning

It’s a statistic that sends a shiver down the backs of SME owners, managers and employees.  

According to the Australian Federal Police report, business email compromise (BEC) cost Australian businesses more than $152.6 million last year.

This makes it one of the most financially damaging cybercrimes on record. 

AI has made these attacks harder to detect. The question for Accounts Payable (AP) teams is no longer whether they can identify suspicious requests. It is whether the processes around payments make fraud difficult regardless of how convincing it looks.

Read More »
Adversary-in-the-Middle Attacks: How Phishing Sites Steal Your Active Login

Adversary-in-the-Middle Attacks: How Phishing Sites Steal Your Active Login

You click a link, sign in, approve the MFA prompt, and get on with your day. Completely unaware that someone else just logged into your account at the same moment.

That scenario surprises many businesses, particularly those that rely on multi-factor authentication (MFA) to protect cloud accounts. But this is exactly how Adversary-in-the-Middle (AiTM) phishing attacks work. 

Rather than stealing passwords for later use, these attacks silently hijack an already-authenticated session in real time.

MFA remains a core control, and getting it implemented correctly is still a critical first step for any business. 

But AiTM attacks exploit something MFA was never designed to protect: the trusted session that exists after authentication has already completed.

Read More »
The "Session Cookie" Hijack: Why MFA Can’t Always Save You

The “Session Cookie” Hijack: Why MFA Can’t Always Save You

MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in.

After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there. If an attacker steals that wristband, they may not need to beat your MFA prompt at all.

That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session.

This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line. 

When sessions can be stolen, the practical defence shifts to layered controls: phishing-resistant sign-ins, device hygiene, tighter session policies, and detection that catches suspicious access early.

Read More »
Micro-SaaS Vetting: The 5-Minute Security Check for Browser Extensions

Micro-SaaS Vetting: The 5-Minute Security Check for Browser Extensions

Browser extensions have a funny reputation. They feel “small”. A quick install. A tiny productivity boost. A harmless little helper that lives in your toolbar.

But in practice, a browser extension is more like a micro-SaaS vendor sitting inside your browser session. It can see what you see, interact with the pages you open, and sometimes access the same cloud apps your business runs on all day.

That’s why a browser extension security check matters. 

Not because every extension is bad, but because it only takes one over-permissioned add-on or one bad update to turn “helpful” into exposure.

The good news is you don’t need a 40-page policy to reduce the risk. A simple five-minute check can prevent most extension problems before they start.

Read More »
The Essential Security Checklist for Securing Company Laptops at Home

The Essential Security Checklist for Securing Company Laptops at Home

At home, security incidents don’t look like dramatic movie hacks. They look like stepping away from your laptop during a delivery, or leaving it unlocked while you grab something from another room.

Those ordinary moments, repeated over time, are how work devices end up exposed.

A remote work security checklist focuses on simple, practical controls that hold up in real life. Put it in place once, make it routine, and you’ll prevent the kinds of issues that hurt most because they were entirely avoidable.

Read More »
The 2026 Guide to Uncovering Unsanctioned Cloud Apps

The 2026 Guide to Uncovering Unsanctioned Cloud Apps

If you want to uncover unsanctioned cloud apps, don’t begin with a policy. Start with your browser history.

The cloud environment most businesses actually use rarely matches the one shown on the IT diagram. It’s built through countless small shortcuts: a “just this once” file share, a free tool that solves one problem faster, a plug-in installed to meet a deadline, or an AI feature quietly enabled inside an app you already pay for.

In the moment, none of it feels like a problem. It feels efficient. Helpful.

Until it isn’t. Then you realise business data is scattered across tools you didn’t formally approve, accounts you can’t easily offboard, and sharing settings that don’t reflect the actual risk.

Read More »
Stop Ransomware in Its Tracks: A 5-Step Proactive Defence Plan

Stop Ransomware in Its Tracks: A 5-Step Proactive Defence Plan

Ransomware isn’t a jump scare. It’s a slow build.

In many cases, it begins days, or even weeks, before encryption, with something mundane, like a login that never should have succeeded.

That’s why an effective ransomware defence plan is about more than deploying anti-malware. It’s about preventing unauthorised access from gaining traction.

Here’s a five-step approach you can implement across your small-business environment without turning security into a daily obstacle course.

Read More »

Looking for something else? You can navigate through our menu or use this search bar:

Search