Given how bad the security trainings I've seen are this isn't a surprise. My employer's last cybersecurity training said that data doesn't count as PII if it doesn't include some person's name. That's an outright contradiction of the CCPA, EU GDPR, and UK GDPR definitions! The rest of the advice tends to be similarly suspect, like the common advice that phishing emails have lots of spelling & grammar mistakes: that's well-known enough that scammers have started using proper spelling & grammar like in the recent supply-chain attacks NPM debug/chalk/etc.
The article blames it on people not engaging with the trainings, which is quite likely, but I suspect even if they did engage the trainings wouldn't be particularly effective. It recommends hardware 2FA & password managers that autofill based on domain which are both good choices, but I'd also say that splitting up communication channels into trusted internal & untrusted external is a good idea.
The article blames it on people not engaging with the trainings, which is quite likely, but I suspect even if they did engage the trainings wouldn't be particularly effective. It recommends hardware 2FA & password managers that autofill based on domain which are both good choices, but I'd also say that splitting up communication channels into trusted internal & untrusted external is a good idea.