Lots of bad hot takes on LinkedIn (or as I think we’re supposed to refer to it here, the Berksite), regarding social engineering and employee security awareness training post-MGM, “your employees are the biggest risk”, yada yada yada.
Nope.
If a single employee can be socially engineered resulting in such devastating impact, that’s not a failure of that employee. It’s a failure of several layers of people, including some who will have been paid more in a year than the socially engineered employee would have in ten, to allow such a target rich, mission critical environment, to develop without putting proper controls in place to stop an attacker at the first opportunity once they are in.
And sadly, this story will play out hundreds more times, and the “untrained employee” will be thrown under the bus each and every time.