The Veriti Spottr Cybersecurity Brief

Thought Leadership Credential Risk May 2026  ·  8 min read In Q3 2025, 32% of organizations hit by ransomware had MFA deployed — and 41% of those were breached anyway via MFA bypass. MFA is necessary. It's no longer sufficient. Here are the three routes attackers are using to get around it, and what actually stops them. On the night of September 15, 2022, an Uber contractor started receiving push notifications on their phone. A second-factor authentication request — the kind their MFA setup had been sending them for years. They declined it. Another one appeared. They declined again. For over an hour, notifications arrived every few minutes. Exhausted, assuming it was a system glitch, they finally tapped Approve. Within minutes, the attacker had access to Uber's internal systems, Slack, and source code repositories. The MFA worked exactly as designed. The human didn't. This is the story most businesses don...

Thought Leadership Layered Security May 2026  ·  8 min read In the 2026 NBA Playoffs, the teams winning on defense aren't running pure man-to-man. They're switching schemes, mixing zone principles, and forcing offenses to solve problems they haven't practiced against. Most small businesses defend their data the way a team plays man-to-man against Steph Curry. There's a better way. In the 2026 NBA Playoffs Conference Semifinals, the Denver Nuggets ran zone defense on nearly 30% of their halfcourt possessions against the Oklahoma City Thunder. For a team that played zone on just 3% of possessions during the regular season, that's a dramatic shift. And it worked — OKC's Jalen Williams, Chet Holmgren, and Lu Dort shot a combined 23% from three against the zone, compared to 39% in the regular season. Why? Because the Thunder had spent the entire season perfecting their pick-and-roll attack against man-to-...

Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...

Thought Leadership Information Security May 2026  ·  8 min read What Vegas Casinos Know About Security That Your Business Doesn't Las Vegas casinos built the most sophisticated security and surveillance environments on earth — decades before cybersecurity existed as a field. They solved access control, insider threat, behavioral detection, and continuous monitoring with card tables and one-way glass. The principles they used are the same ones your business needs today. In the 1950s and '60s, before surveillance cameras existed, Las Vegas casinos built catwalks in the ceilings above the casino floor — dark, narrow walkways above one-way glass where trained observers watched every card dealt, every chip moved, every hand gesture at every table. They couldn't see everything. But they knew where the risk was highest, and they watched those spots without interruption. By the mid-1980s, the Nevada Gaming Control ...

Thought Leadership Financial Impact May 2026  ·  8 min read The average organization now loses $19.5 million annually to insider threats — and the incidents driving that number don't happen during dramatic heists or sophisticated attacks. They happen during ordinary workdays, in ordinary moments, by ordinary employees just trying to get things done. It's 8:47am on a Tuesday. Your sales manager, Sarah, is on her second coffee and working through a backlog of emails before her 9am call. She gets a message that looks like it's from your IT vendor — subject line "Action Required: Account Verification." It's well-written, uses her real name, references a software tool she actually uses. She clicks the link, enters her credentials, and moves on. By 8:49am, her account belongs to someone else. By the time anyone notices — 81 days later on average — that account has been the source of unauthorized access t...