Tax season has a way of consuming everything. For weeks, most business owners are heads-down on deadlines, extensions, and documents. Security hygiene may have taken a temporary back seat. May is the moment to come up for air and take a honest look at business risks that often go unnoticed. This month, CyberHoot is shining a light on three hidden risks that tend to grow quietly in the background, especially during the seasons where priorities are elsewhere.
First, we detail third-party app connections to Google and Microsoft workspaces quietly granting broad permissions to company data, and how most organizations have no idea how many exist. When an employee connects a new productivity or project app to their work account, that app often receives permission to read email, access files, and view calendar data. Most employees never review what they agreed to. Most IT teams never see it happen. We dug into this problem in our recent article, ‘Your Employees Connected 47 Apps to Google Last Year. Can You Name One of Them?’ and the findings will surprise you.
Second, we look at how attackers no longer need your password to get into your accounts. When you log in to Google, Microsoft, or any web application, your browser receives a session token, a small piece of data that proves you already authenticated. Attackers who steal that token can walk straight into your account without ever knowing your password, and without triggering multi-factor authentication. No forced entry. No failed login alerts. Just silent access. We break down how this works and what to do about it in our article, ‘Attackers Don’t Need a Key. They Already Have Yours.’
Finally, we look at a risk sitting at the edge of every network your clients own, including the ones they can’t see. Most businesses have a handle on their office network. Few have any visibility into the home routers their remote employees use every day. Those routers are rarely updated, almost never monitored, and almost no one knows what firmware version they are running. Attackers know this. Nation-state actors have been actively targeting home and small office routers as entry points into corporate networks precisely because they are so easy to exploit and so hard to detect. Your clients’ remote work setup may be the least secure link in their entire environment. We dig into the full picture in our article, ‘Why Your Clients’ Routers Are Now a National Security Conversation.’
These three risks share something important. None of them announce themselves. No alarm goes off. No logins fail. No error messages appear. Third-party app permissions accumulate silently. Stolen session tokens provide access without alerts. Compromised routers sit undetected for months or even years! The common thread is that these risks are already inside your environment, operating through trusted systems and connections you rely on every day. The first step to fixing these hidden problems is knowing they exist. Now that you do, read on to learn what to do about them.
Craig CEO,
Co-Founder, CyberHoot
Liking CyberHoot? We need your help. Please leave us your review at G2.com!
– G2
For more information on how to leave a CyberHoot review, please watch the brief video overview below. Note: to avoid fraudulent reviews, each review website will require to you to create and validate your identity through an email account registration process.
Data Confidentiality is the assurance that information is only accessible to authorized individuals and is not disclosed to anyone without a legitimate need-to-know. It focuses on protecting data from unauthorized viewing, sharing, or exposure, whether accidental or intentional. This is a foundational element of the CIA triad (Confidentiality, Integrity, and Availability).
Confidentiality is maintained through controls such as access restrictions, encryption, authentication, and user permissions. When confidentiality fails, sensitive data such as financial records, personal information, or intellectual property can be exposed, leading to legal, financial, and reputational damage.
CyberHoot is constantly adding new content to our platform. Our most recent video addition is our “Handle with Care: Protecting Personally Identifiable Information or PII” video. Watch it below and assign it through CustomHoots manually if you require PII training.
Please note: CyberHoot is upgrading all Power Users to Autopilot for free. Contact support@cyberhoot.com to schedule your free upgrade. Power platform will be retired later this year Sept. 2026.
General Improvements:
CyberHoot has officially achieved a long-standing goal of being featured on the legendary “Security Now!” podcast with Leo Laporte and Steve Gibson. To be 100% clear, this is a paid sponsorship of the podcast.
Please watch this quick 3-minute feature as Leo Laporte shares his experience with HootPhish and explains why CyberHoot’s positive reinforcement approach to phishing education caught his attention.
We’re excited to introduce Custom AttackPhish, a new feature within CyberHoot’s Autopilot platform that gives administrators greater flexibility when running phishing simulations. With Custom AttackPhish, (located in our CustomHoots Power-Up) admins can create and launch customized phishing campaigns that better reflect the real-world threats their users may encounter.
This helps organizations deliver more relevant security awareness training while improving users’ ability to recognize and respond to phishing attempts. An overview video with instructions of how to create Custom AttackPhish paired to the equivalent HootPhish will be recorded and shared in the coming weeks.
If you need additional help, you can always reach our support team at support@cyberhoot.com.
Enroll in CyberHoot’s Referral Program today and start earning a 20% share of all revenue generated for one year by those who register through your exclusive referral link. As a referral partner, not only will you receive financial rewards, but you’ll also experience the satisfaction of aiding others in becoming more security-conscious, safeguarding them against cyber threats. Don’t hesitate, sign up now at https://cyberhoot.com/referral-program/.
Referral through Autopilot’s Dashboard:
Join CyberHoot in our mission to create a more aware and better secured world! Recommend CyberHoot Autopilot to a friend, and they will enjoy a complimentary first month. For every new sign up who uses your referral link, you will receive a free month added to your account. This offer is exclusively for first-time CyberHoot registrants.
Know someone who had a close call recently with a cyber attack, phishing email, or social engineering phone call? Recommend CyberHoot’s free cybersecurity training. They’ll receive six (6) videos (each video is 3-4min.) and one of our positive reinforcement, hyper-realistic, phishing simulations. All for free.
Registration: https://cyberhoot.com/individuals
CyberHoot White Paper Download – How HootPhish Improves upon AttackPhish
All New: 2025 Infographics on Cybersecurity Statistics
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
You now have five important reasons to start a router security conversation with your small business clients this...
Read more
OAuth tokens don't expire when employees leave, passwords change, or apps go rogue. Your security program needs...
Read more
Most breaches don't start with a hacker in a hoodie cracking code at 3am. They start with your username and a...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.
