The Veriti Spottr Cybersecurity Brief

Breaking News Credential Risk May 2026  ·  7 min read On May 14, 2026, a security researcher found 844 megabytes of US government credentials sitting in a public GitHub repository named "Private-CISA." The credentials belonged to CISA — the agency whose job is to tell businesses how to protect their credentials. The five lessons from this story apply directly to every SMB in America. The files were named with a frankness that made security researchers do a double-take. One was called "importantAWStokens." Another was "AWS-Workspace-Firefox-Passwords.csv" — a spreadsheet listing plaintext usernames and passwords for dozens of internal government systems. Both were sitting in a public GitHub repository that anyone on the internet could read, download, and use. The repository had been there since November 13, 2025. For six months, credentials granting high-level administrative access to US gover...

Threat Intelligence Financial Impact May 2026  ·  8 min read Every April the FBI releases its Internet Crime Complaint Center annual report — the most comprehensive government analysis of real cybercrime in the US. The 2024 report landed April 23, 2025. $16.6 billion in losses. 859,532 complaints. Five findings that apply directly to your business right now. Every year in April, the FBI publishes the most authoritative cybercrime document available to any business owner in the United States. It's called the Internet Crime Complaint Center Annual Report — IC3 for short — and it contains 25 years of data on how Americans and American businesses are being attacked, how much they're losing, and which attack types are accelerating. The 2024 report, released April 23, 2025, documented a record-breaking year. $16.6 billion in losses. 859,532 complaints. A 33% increase in losses from 2023. The average loss per incident ...

Thought Leadership Attack Surface May 2026  ·  8 min read Attackers don't choose their targets the way you might imagine — a person researching your business, deciding you're worth their time. Most SMB targeting is fully automated. A scanner runs. It finds gaps or it doesn't. What it doesn't find is what keeps you off the list. Somewhere right now, an automated tool is scanning your domain. It's not a person — it's a script running across thousands of businesses simultaneously, looking for the same handful of gaps it always looks for. Open RDP port. Missing DMARC enforcement. Credentials in a breach database. Admin panel exposed to the public internet. Known unpatched CVE on an internet-facing service. If it finds any of those, your domain goes into a queue. If it doesn't, it moves on. The decision takes milliseconds and involves no human judgment whatsoever. This is the most important and ...

Thought Leadership Human Risk May 2026  ·  8 min read 68% of all data breaches involve the human element. But when you look at what those humans were actually given to work with — no password manager, no number matching on MFA, credentials already for sale that nobody told them about — the question isn't why employees make mistakes. It's why businesses are surprised when they do. Marcus works in accounting at a 40-person professional services firm. He's been there for six years. He's conscientious, detail-oriented, and genuinely cares about his job. He has never intentionally done anything to compromise his employer's security. Last Tuesday at 4:47pm, with two pending deadlines and a client call in 13 minutes, he received an email that appeared to come from his CEO asking him to review an attached invoice before end of day. The email was well-written, used the CEO's real name, referenced an actual c...