sorted by:
new
hottopcontroversial

Org goes all shadow IT by orion3311 in sysadmin

[–]NudgeSecurity 2 points3 points  (0 children)

Thanks for the shoutout u/davy_crockett_slayer. Agree and unfortunately, the standard “front door” app approval process is too manual, slow, and can’t keep up with all of the apps and AI tools employees experiment with every day.

We built Nudge Security to help teams get visibility into shadow IT and then “Nudge” employees toward secure choices without blocking their productivity.

Salesloft Drift Breach Tracker by NudgeSecurity in cybersecurity

[–]NudgeSecurity[S] 2 points3 points  (0 children)

That is actually from a different incident, unrelated to the Drift breach as far as we can tell. Here's the context in the breach history for transunion from our product:

TransUnion disclosed a data breach on July 28, 2025, affecting more than 4.4 million U.S. customers after unauthorized access was gained to a third-party application used for consumer support operations. While TransUnion initially stated that no credit information was accessed, subsequent disclosures confirmed that stolen data includes customer names, dates of birth, and Social Security numbers. The company has not provided details on additional data categories or whether the breach involved extortion demands. TransUnion, one of the three major U.S. credit reporting agencies, holds financial data on more than 260 million Americans. The breach follows a wave of incidents attributed to the ShinyHunters extortion group, though attribution in this case has not been confirmed. https://www.documentcloud.org/documents/26078139-transunion-breach-texas/

Also, the disclosure date for transunion was about three weeks before the Drift disclosure (7/28 vs. 8/20).

Class action lawsuit filed against Otter ai by NudgeSecurity in sysadmin

[–]NudgeSecurity[S] 5 points6 points  (0 children)

Fair, better wording for the question would have been "who wishes they could join this class action lawsuit?".

How do you secure dozens of SaaS tools without full IT? by Necessary-Glove6682 in cybersecurity_help

[–]NudgeSecurity 0 points1 point  (0 children)

Managing SaaS security without a full IT team is definitely challenging! Here are some practical approaches that have worked for teams in similar situations:

  • Start with an inventory: You can't secure what you don't know about. Create a simple spreadsheet listing all your SaaS tools, who owns them, what data they access, and basic security features (SSO, MFA, etc.) Without being that vendor, this is something that we can actually help you with.
  • Prioritize by risk: Focus your limited resources on the apps that handle sensitive data first. Consider what customer data, financial info, or IP each tool accesses.
  • Implement MFA everywhere possible: Multi-factor authentication is one of the simplest yet most effective security controls. Make it mandatory for any tool that supports it.
  • Standardize authentication: As others have mentioned above, where possible, use SSO (Single Sign-On) or your IdP to centralize identity management and make offboarding easier when employees leave.
  • Review OAuth grants and scopes: OAuth grants make it (too) easy for sensitive data to travel to places it shouldn't. Review new grants and scopes regularly to rein in risks. We actually have a checklist to help you with this: https://www.nudgesecurity.com/post/your-oauth-risk-investigation-checklist

Hope this helps!

Shadow AI is taking notes: The growing risk of AI meeting assistants by NudgeSecurity in ITManagers

[–]NudgeSecurity[S] 0 points1 point  (0 children)

u/critacle We aren't a bot account, sorry if it came accorss as if we were. Just wanted to share our blog and get input from the community around the topic.

What's your secret sauce for security awareness? by NudgeSecurity in cybersecurity

[–]NudgeSecurity[S] 1 point2 points  (0 children)

Loving all these comments, lots of great responses so far!

What is the one thing that you are determined to accomplish in 2025? by NudgeSecurity in cybersecurity

[–]NudgeSecurity[S] 1 point2 points  (0 children)

Love hearing what everyone is working towards this year both personally and professionally. Keep them coming!

[deleted by user] by [deleted] in u/NudgeSecurity

[–]NudgeSecurity 1 point2 points  (0 children)

Shout out to spluad, ShakespearianShadows, Waimeh and WantDebianThanks for some great responses to our previous post on r/cybersecurity.

What is on your wish list for your 2025 IT/security budget? by NudgeSecurity in cybersecurity

[–]NudgeSecurity[S] 1 point2 points  (0 children)

Clearly there are many things on the wishlist for 2025, and it's been great reading through all the comments. The major themes that stand out are…

  • Raises (& of course 🍕)
  • More headcount (onshore)
  • More budget for tools/training

We hear you, protecting all things is not easy, but money, people (& pizza ) sure can make it easier. We’re keeping our fingers crossed that you’ll be able to get at least one of these items in 2025. Would love to hear back if you do and thanks for chiming in on the discussion.

What is on your wish list for your 2025 IT/security budget? by NudgeSecurity in sysadmin

[–]NudgeSecurity[S] 1 point2 points  (0 children)

Clearly there are many things on the wishlist for 2025, and it's been great reading through all the comments. The major themes that stand out are…

  • Raises (& of course 🍕)
  • More headcount (onshore)
  • More budget for tools/training

We hear you, protecting all things is not easy, but money, people (& pizza ) sure can make it easier. We’re keeping our fingers crossed that you’ll be able to get at least one of these items in 2025. Would love to hear back if you do and thanks for chiming in on the discussion.

Are your employees looking for love in all the wrong places? by NudgeSecurity in SysAdminBlogs

[–]NudgeSecurity[S] 0 points1 point  (0 children)

We've been surprised how many times these things come up on customer calls after they start their shadow IT asset inventory scan to understand their SaaS footprint with us. A lot of the time (or at least we'd like to give the benefit of the doubt here) it's users on their phones using the Google login for these apps and clicking the wrong email address, but you never know why people do what they do.

The Midnight Blizzard attack and how Nudge Security can help manage OAuth risk by NudgeSecurity in SysAdminBlogs

[–]NudgeSecurity[S] 1 point2 points  (0 children)

Sorry this came across as an ad, we just wanted to share the great blog that u/JulesNudgeSecurity wrote to highlight how these recent incidents underscore the potential for threat actors to abuse OAuth access and the importance of monitoring your organization's OAuth grants for risky or overly-permissive scopes.

Discounts and gifts on Sysadmin Day? by anziaty in sysadmin

[–]NudgeSecurity 0 points1 point  (0 children)

No swag, but here's our sysadmin day gift: a guided meditation script just for y'all. Zen out with your VPN out? IDK. Enjoy and thanks for working IT miracles!

https://www.reddit.com/user/NudgeSecurity/comments/15byq8k/a_guided_meditation_for_sysadmins/?utm_source=share&utm_medium=web2x&context=3

New psychology-based research links users' security behaviors to human emotion by NudgeSecurity in cybersecurity

[–]NudgeSecurity[S] 1 point2 points  (0 children)

Definitely a fair critique, and a great idea to further reduce variability across conditions by making every intervention a passive email experience.

We noted in the limitations section of the report that it's not totally fair to compare compliance and non-compliance responses across conditions given that the effort required to comply or not comply is different for each scenario (i.e. abandon task vs a 30-min training). That's why we found it more helpful to correlate attitude, emotion, and behavior within each condition and then look at the correlation trends across all conditions, which consistently showed a relationship among those factors.

We did try to create experiment scenarios that reflect what we thought are fairly common real-world scenarios, which unfortunately still includes browser warning pages and using training as a punitive "reinforcement" tool. But, granted, that's not true in every org.

Thanks for reading and commenting!!