The Day Nancy Started Crying
A breach, a wake-up call, and how a fast-moving company hit pause to protect its people.
We’re not powerless. Cybercrime thrives on confusion and silence. Stories bring clarity. They invite conversation. They create momentum. I write Stan’s Corner to be shared—between teams, with clients, across industries. Because when we understand the threat together, we can stop it together.
About ten minutes into our meeting, Nancy started crying.
“I feel so bad,” she said. “I didn’t mean to hurt anyone. I was just following instructions. I thought I was doing what I was supposed to do.”
Nancy was head of HR at a mid-sized manufacturing firm in Los Angeles. Three weeks earlier, she’d received an email that looked like it came from the company president. It asked for a list of employees—names, addresses, Social Security numbers, dependents, and whether they were enrolled in the 401(k). The request sounded urgent.
In a company where moving fast was a core value, Nancy didn’t hesitate. She replied to the email that same day with a spreadsheet containing the requested information—273 employees.
The Breach.
The email was fake.
The data had gone straight to identity thieves.
The company had to launch an investigation—$25,000. Notify every employee. Pay for two years of identity theft protection. And deal with a serious blow to morale.
The Recovery
That’s when I got the call.
My role was to help them recover. And to implement reasonable security controls to lower the risk of anything like this happening again.
We kicked things off with an all-hands meeting. We walked through what happened. Laid out the response. Let staff know the company had committed to a real security program.
And we launched basic training—how to recognize suspicious emails, how to spot red flags, and, importantly, how to protect not just the company, but themselves and their families. Including how to freeze their credit.
The Turning Point
Then the President stood up.
“If you ever get an email asking for sensitive info—even if it looks like it’s from me—call me. Verify it. We move fast here. That’s part of our edge. But not at the cost of our security.”
After the meeting, I saw Nancy in the hallway again. There were tears in her eyes, but this time they were tears of joy. She was smiling. We shook hands. Teammates now.
Leadership
A week later, I met with the president. He had already formed a cross-functional security team—and asked Nancy to lead it. She’s now the company’s Cybersecurity Leader.
We meet again in two weeks. They’re doing the work.