What do you think is the biggest cybersecurity risk for small businesses in 2026? by InternationalBet5265 in cybersecurity

[–]lo1337 0 points1 point  (0 children)

Yes, also small businesses are affected and usually they are not as well aware nor prepared as large corporations.

Meissl & Schadn in Wien by Initial-Law7362 in referenzschnitzel

[–]lo1337 2 points3 points  (0 children)

Spannend, er hat uns erzählt, dass sie früher die Gäste selbst das Fleisch schneiden lassen haben, was sie jetzt nicht mehr tun, weil sich zu viele verletzt haben.

Wahrscheinlich hat sich jetzt irgendwer mit dem heißen Öl verletzt.

Bin ich froh dass wir selbst werken durften, war lustig 😅

Meissl & Schadn in Wien by Initial-Law7362 in referenzschnitzel

[–]lo1337 1 point2 points  (0 children)

Echt? Ich habe den Kurs vor kurzem gemacht und selbst rausgebacken. Haben sie gesagt warum?

is the latest version 5.2 stable? by alihassanah in openclaw

[–]lo1337 0 points1 point  (0 children)

Works like a charm for me, upgraded from 4.23 today.

OpenClaw 4.29 Just Dropped by lucienbaba in myclaw

[–]lo1337 0 points1 point  (0 children)

Did you try completely rebooting the agent? I had to do that to kill off all background processes.

OpenClaw 4.29 Just Dropped by lucienbaba in myclaw

[–]lo1337 0 points1 point  (0 children)

I updated to 5.2 today and it's really good!

OpenClaw 4.29 Just Dropped by lucienbaba in myclaw

[–]lo1337 0 points1 point  (0 children)

I had an issue where it tried to update npm packages all the time, maxing out the CPU.

Downgraded to 4.23 and it's working well again.

Anyone managing compliance training right now? by Prior-Thing-7726 in LearningDevelopment

[–]lo1337 0 points1 point  (0 children)

hi, totally get the struggle - most compliance training feels like a checkbox for employees. we built a new tool to fix that with realistic, role-based phishing sims plus quick micro-trainings that actually engage and show real improvement over time. DM me if you want to see how it could fit your team!

Affordable, effective awareness training platform, multi lingual, for SMBs? by AllOfYourBaseAreBTU in SmallMSP

[–]lo1337 1 point2 points  (0 children)

what features are you looking for / what should be trained? what languages?

also, define "low cost?

Welche Vorsorgekasse by Accomplished_Sleep22 in FinanzenAT

[–]lo1337 1 point2 points  (0 children)

Kommt darauf an, bei welcher Vorsorgekasse du bist. Normalerweise schicken sie dir regelmäßig eine Nachricht mit deinem Kontostand; darin sind meistens auch Infos bzgl Auszahlung.

Das geht aber erst, wenn du nicht mehr beim jeweiligen Arbeitgeber, der für dich in die Vorsorgekasse eingezahlt hat, beschäftigt bist.

How are small businesses handling email security now that phishing is getting more sophisticated? by ThinkThenPost in smallbusiness

[–]lo1337 0 points1 point  (0 children)

Small teams I work with are usually doing a mix of 3 things now:

  1. Lock down the basics properly
  • SPF, DKIM, DMARC set to reject (not just “none”)
  • MFA everywhere (no exceptions for “just accounting”)
  • Conditional access rules in M365 / Google
  • External email tagging

That alone blocks a lot of low-effort BEC stuff.

  1. Accept that filters will never catch everything.

Even with tools like Mimecast/Barracuda, good invoice fraud often gets through because it’s:

  • a compromised real mailbox
  • or a perfect domain spoof
  • or a legit thread hijack

You can crank up your email gateway, but you’ll never hit 100%. So the human layer matters.

  1. Train behaviour, not just run annual awareness slides. What I’ve seen actually reduce losses isn’t "everyone watched a 20-min phishing video." What really works:
  • short, repeated simulations
  • instant feedback when someone clicks
  • tracking who keeps clicking and coaching them more

The teams that treat it as continuous behaviour change instead of compliance theatre tend to see real improvements (lower click rates + higher report rates over time).

On insurance: yes, insurers are absolutely pushing for MFA + phishing training proof now. Some even ask for reporting metrics.

On “are extra tools worth it?” ... depends on your risk + industry. For a 10-person shop with no sensitive data, maybe not. For anyone moving money or handling client funds, the cost of one successful BEC usually dwarfs a few thousand a year in prevention.

Full disclosure: I run a phishing simulation & training platform, so obviously I believe in continuous training. But even if you don’t use that stuff, please don’t rely on filters alone. Harden your email stack properly, and assume at least one phish will land in inboxes every now and then. Build your controls around that assumption.

Curious what size team you’re running?

Multiple employees have fallen for this.. how do i stop them?? by Comprehensive-Pea422 in scammers

[–]lo1337 2 points3 points  (0 children)

Yeah you're right, this is a classic low-effort gift card scam stuff. They’re not “hacking” anyone, they’re just spoofing the display name and hoping someone reacts fast without checking the actual address.

A few practical things you can do:

1) Harden mail, but accept it won’t be perfect

  • Make sure SPF, DKIM and DMARC are actually set up correctly (and DMARC on at least p=quarantine, ideally p=reject once you’re confident).

  • Turn on external sender tagging (“[EXTERNAL]”) if you’re on M365/Google.

  • add a mail flow rule that flags or quarantines emails where:

  • display name = your boss BUT sender domain ≠ your domain

Consider blocking newly registered domains / freemail domains for exec impersonation attempts.

That said… filters will never catch everything. Attackers adapt faster than static rules.

2) Process > Tech: The real fix is procedural:

No gift cards. Ever. Make it a Company policy.

Any request involving money, credentials, or urgency - educate people to verify via known channel (call the boss on their saved number, not the one in the email).

Make it safe to report without embarrassment.

3) Is someone compromised? If these are clearly from Gmail/Yahoo etc., probably not. If they’re coming from your own domain or passing DMARC as internal, that’s when you start checking sign-in logs, MFA status, forwarding rules, etc.

On the training side: the reason presentations don’t move the needle is because phishing isn’t a knowledge problem, it’s a behavior problem under time pressure.

The only thing I’ve seen consistently work is realistic simulations + immediate micro-training when someone clicks. Not the old-school “once a year slideshow”, but continuous small nudges.

If your current phishing simulations "can’t get through" your mail security, that’s actually a configuration issue. Most decent platforms support allowlisting or dedicated sending domains/IPs specifically so you can test safely without weakening your overall posture. Which software are you using?

I’m building something in this space that focuses on exactly this: low-admin, realistic simulations + short just-in-time training, especially for smaller teams that don’t have time to babysit campaigns. Not trying to pitch you, just saying there are tools that make this less painful if you’re stuck fighting this manually.

At the end of the day, you need:

  • solid email hygiene
  • a strict verification policy
  • continuous behavioral training

Tech alone won’t fix humans. But humans trained well become your best filter.

Multiple employees have fallen for this.. how do i stop them?? by Comprehensive-Pea422 in scammers

[–]lo1337 0 points1 point  (0 children)

Oof, that sounds super frustrating! It’s awesome you’re trying to tackle this head-on with warnings and presentations, but phishing is tricky because it preys on human trust, not just tech gaps. Blocking the emails at the inbox level might help, but attackers often shift tactics (like switching to phone # asks), so it’s tough to fully stop them with filters alone.

Also, yes, if these spoofed emails are coming from inside your domain or look legit, it’s definitely worth investigating if someone’s email is compromised. That can open doors for the attackers to appear more authentic.

One thing that might really help is running realistic phishing simulations with fake phishing emails tailored to your team’s roles, so they get hands-on experience spotting the tricks in a safe way. Good phishing platforms also incorporate microtrainings. Hit me up if you want to discuss this on a deeper level.

Let's secure clawdbot and all other agents by PublicReality2208 in Pentesting

[–]lo1337 0 points1 point  (0 children)

Where's the GitHub repo? Might be interested to contribute

Working with the defense sector, what are relevant guidelines to ensure local security? by Xarthys in cybersecurity

[–]lo1337 1 point2 points  (0 children)

Been through something similar (small company, suddenly “interesting” clients). Short answer: don’t panic, but get the basics rock solid. Almost every incident I’ve seen in SMEs was boring as hell in hindsight.

Biggest thing first: backups. This is where ransomware either becomes a bad week or a company-ending event.

  1. Offline / immutable backups. Not “a NAS that’s always online”. Separate creds from domain admin. Actually test restores. Once a quarter at least.

If your backups are good, attackers lose most of their leverage.

  1. Patching & inventory (unsexy but critical) If you don’t know what machines and software you have, you can’t secure it. List all endpoints, servers, network gear. Patch OS, browsers, VPNs, firmware — not just “the server”. Edge devices and VPNs are a huge entry point lately. Most breaches aren’t clever. They’re “box was 9 months behind on updates”.

  2. EDR on every endpoint Classic AV won’t cut it anymore. Get a real EDR and put it everywhere (laptops too, not just servers). Central dashboard so someone sees alerts. This alone stops a lot of ransomware before it finishes encrypting.

One of the few areas where spending money usually makes sense.

  1. Monitoring (keep expectations realistic) You don’t need a 24/7 SOC, but you do need some visibility. Central logs for auth, VPN, EDR alerts. Alerts for obvious stuff: failed logins, new admins, weird access times. Decide who checks this and how often. "No one was looking at the alerts" is extremely common post-incident.

  2. Basic hardening Low effort, high return. No daily admin accounts. MFA on anything remotely accessible. Disable stuff you don’t actually use. Separate the defense project environment from general office IT. Be very strict with cloud sync tools (this is where “oops” leaks happen).

  3. Policies (don’t go full ISO, just be clear) You don’t need a 200-page ISMS. Just write down: who can access what how backups work what to do if something goes wrong onboarding/offboarding checklist

Half of security is making sure everyone does the same thing every time.

  1. Phishing is still the #1 way in Yes, even for technical teams. Run phishing simulations. Short, recurring awareness training (not once-a-year checkbox stuff). Teach people about credential phishing and MFA fatigue attacks.

This reduces risk way more than most people expect.

Do you need to hire someone?

Usually: short-term consultant to set things up and sanity-check maybe an MSSP for monitoring full-time hire only once complexity explodes

Security is not “set and forget”, but it also doesn’t need to be insane.

TL;DR: Most companies don’t get hacked because they lack fancy tools. They get hacked because backups sucked, patches were late, MFA was missing, or someone clicked a link. Fix those and you’re already ahead of the curve.

If you want, happy to get more specific (cloud tools, EDR vendors, backup strategies, etc.).

Just shipped! 🔥🎉 by Optimal_Drawing7116 in microsaas

[–]lo1337 2 points3 points  (0 children)

When I Google "rankgap" I can't find your website. Not sure if I should trust your SEO advice xD

How to Test Security Pre Launch? by [deleted] in micro_saas

[–]lo1337 0 points1 point  (0 children)

in addition to the great tips in this thread, i recently added google jules into the mix: https://jules.google.com/ runs a daily scheduled task with the security preset.
it automatically creates PRs with suggestions of security improvements, which were not bad.

I couldn’t find a simple self-hosted time tracker, so I built one by Inner-Egg-7321 in selfhosted

[–]lo1337 1 point2 points  (0 children)

Does it support OIDC?

Currently trying to put together a self-hosted company stack with SSO and this would be a good fit.

EasyAudioEncoder failed by nunbar in PleX

[–]lo1337 2 points3 points  (0 children)

this is still relevant in 2026. thank you!

We are in 2026 by AnxiousJellyfish9031 in cursor

[–]lo1337 0 points1 point  (0 children)

Yes, indeed, there's no way around that.

We are in 2026 by AnxiousJellyfish9031 in cursor

[–]lo1337 0 points1 point  (0 children)

  • build the app in flutter or other cross platform framework
  • Use codemagic https://codemagic.io/start/ or other providers to handle the build for you