Inflection Point: When Cybersecurity is NOT Part of Your DNA
Ever heard about walking your talk?
Cyberhaven, a security startup that helps others stop insider threats, just got exploited through a basic phishing email on Christmas Eve.
This wasn’t just any breach. The attackers got control of Cyberhaven’s Chrome Web Store account and pushed malicious code to over 400,000 users.
Here’s what bothers me most: A company selling security solutions couldn’t protect its most valuable asset - its software distribution pipeline.
This tells me cybersecurity wasn’t really part of their DNA. I realize they’re just a startup. Resources are extremely tight. But, they failed at the basics.
Think about it. One phishing email gave criminals control of their entire customer base. Where was the:
👉 Multi-factor authentication?
👉 Separate admin accounts for critical systems?
👉 Extra verification prior to code pushes?
These are “table stakes” for anyone doing business on the Internet these days.
The timing was perfect for the criminals. Most security teams run lean during holidays. That’s why the bad code stayed active for 30 hours.
This $488 million company, fresh off an $88 million funding round, got taken down by Phishing 101.
After finding the attack, Cyberhaven did the usual things:
But these are just incident response checkboxes. The real question is: Why wasn’t reasonable cybersecurity baked into their culture?
When you sell security, you need to live and breathe it. Your employees should have security awareness in their bones—especially those with admin access to customer-facing systems.
Where did the buy-in fail?
Click "comment" and tell me...
I read every comment you post.
-Kip
P.S. Please forward this "Inflection Point" to someone you care about.
🟠🔵🟠🔵 Subscribe here! 🟠🔵🟠🔵
Recommended by LinkedIn
Current Podcast Episode: “The CrowdStrike Episode”
Have you done a post-mortem of the CrowdStrike IT outage of 2024? What are the major lessons?
Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities LLC, and Jake Bernstein, CISSP, CIPP/US, Partner with K&L Gates.
By the way...
My wife and I took our three youngest kids to Victoria, British Columbia for a few days right before Christmas.
We took the Blackball Ferry across the Straight of Juan de Fuca into Canada.
It’s a 90-minute sailing each way.
We really enjoyed the meticulous holiday lighting and warm atmosphere.
Just a little touch of Europe here on the west coast.
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015, after seven years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
113 Cherry St #92768, Seattle, WA 98104-2205
A basic phishing attack took down a huge company. We all need better prevention. Kip Boyle
Crafting Quality & Scalable Code | IT Consultant | Backend Developer | Full Stack Developer | Python | FastAPI
3moThat's a tough lesson for a security startup! Kip Boyle
Yet another reminder of the critical need for companies to implement a practical cyber risk strategy to safeguard their business. We’re excited to collaborate with you in our upcoming webinar and share valuable insights on how to achieve this!
Let's talk about #cybersecurity #cyberresilience #cr-maps #cyberinsurance #cyberriskmanagement #cyberpolicies #cyberprocesses #networking
3moGosh, I feel for them! Kip Boyle, you always talk about slowing down to go fast. Start-ups are notorious for moving fast. It's scary to realize that cybersecurity providers can be the source of a compromise. The reality is, they need to be vetted, just like other third parties...
Consultant | Virtualisation | Cybersecurity | Cloud | On-Prem | Data | Technology Evangalist | Leader | AI | Infrastructure |
3moAs ever..the human factor is ALWAYS ignored. Over worked staff. Tired staff. Stressed humans. Regardless of how good they are at rest. No amount of technology will help if you're constantly stressed about job, life, doing 3 or 4 people's jobs etc. I'm generally quite good as it's part of my job but one been caught off guard when tired & stressed. Luckily on my phone rather than in an enterprise. But I've seen "Oh we're really busy, let's just turn off the firewall for 10 minutes becausw we don't have time to do it properly " --- not me I hasten to add but I had to deal with the minor fall out after.