#NSBCS.068 - From the desk of the CCO | Culture is the Strategy

Written By Shane Bell

Source: NSB Cyber

 

From the desk of the CCO | Culture is the Strategy

When Shane and I started NSB Cyber, we had a clear goal in mind, beyond delivering great cyber services or growing fast. We wanted to create a workplace we both would have loved to work at.

Don’t be fooled, this isn’t ping pong tables and bean bags. That’s not culture, that’s fluff. We set out to build a high performing environment. One where people are supported, challenged, and rewarded. Where learning opportunities are everywhere, where everyone shares in the success of the company and where people are treated like adults. Quality output and exceptional client experience are valued far more than presenteeism. Our people aren’t merely units of labour, they’re trusted professionals with diverse thinking and experiences.

That mindset has shaped everything we’ve done since and, as we’ve grown, has become even more essential.

And when you grow quickly, it’s easy to focus on the visible levers, sales strategy, recruitment, services lines, and delivery models. All essential. But if you want to maintain high trust relationships with clients, navigate pressure filled situations, deliver meaningful work and sustain the crazy momentum, the most important factor is culture. Not tools. Not frameworks. Not the latest in AI Culture.

And not the buzzword version, either. I’m talking about deliberately protecting that sense of belonging, what it feels like to work here and what it means to be part of something great. Culture is a multiplier, it’s a daily operating system that turns individual effort into team outcomes, at its best, it’s almost tangible.

In my experience, when you get the culture right, one plus one doesn’t equal two. It equals far more. Culture transforms individual talent (of which we have plenty) into coordinated performance. It reduces friction. It removes politics. It makes decision making under pressure faster and clearer.

At NSB we made intentional choices early. We hired incredibly talented people but also differentiated against other smart people for curiosity, humility, diversity of thought and sense of fun. We created a structure that enables autonomy and empowerment without chaos. Importantly, we treated culture deliberately not as something we’d get to later but rather as core to our operating model and something we could leverage as a strategic advantage.

We have always believed that people do their best work when they feel genuine ownership of the mission. In practice that means that no one is judged by hours or keystrokes (a big shift for anyone with a traditional consulting background). We measure impact. We care about the quality of the outcome and the experience we deliver to the client.

Shane and I set the tone, yes, but our team owns the culture. Every decision, every interaction, every project either reinforces it or erodes it. And the strongest cultures are the ones where everyone understands their role in shaping it.

What we’ve built isn’t perfect. But it’s real. It’s resilient. And we feel that it scales. In a services business, culture isn’t a pizza party or Friday drinks. It’s not an afterthought or an add on. Culture is the strategy.

Catch up on our past Signals blog posts here.

What we read this week

  • Qakbot Resurfaces in Fresh Wave of ClickFix Attacks - The Qakbot banking trojan has resurfaced in a new wave of global attacks targeting LinkedIn and other social media platforms, using a social engineering technique called ClickFix. This method tricks users into pasting malicious PowerShell commands by presenting fake CAPTCHA challenges on fraudulent websites, granting attackers initial access to systems. Once access is gained, a PHP-based dropper installs Qakbot or other malware like info-stealers and ransomware. The attacks have impacted sectors such as healthcare, construction, and government across North America, Europe, and the Middle East. Despite Qakbot’s infrastructure being dismantled in 2023, its operators remain active, and researchers warn of its continued evolution and growing use of deceptive tactics to bypass user defences.

  • FIN7 Unleashes Advanced Anubis Backdoor for Total Windows System Control - The notorious cybercrime syndicate FIN7, also tracked as Carbon Spider and Sangria Tempest, has deployed a sophisticated Python-based backdoor dubbed Anubis since early 2025, targeting Windows systems worldwide. Discovered by PRODAFT, this lightweight malware operates entirely in memory, granting attackers full remote access to compromised machines while evading traditional antivirus defenses. Spread via phishing campaigns leveraging malicious spam (malspam), Anubis enables remote shell command execution, keylogging, screenshot capture, and credential theft, all without storing detectable malicious components on disk. FIN7, historically focused on financial gain through point-of-sale attacks and ransomware, uses this modular tool to maintain stealth, blending its command-and-control (C2) traffic with legitimate network activity. The backdoor’s adaptability and low footprint underscore FIN7’s evolving tactics, posing a significant threat to organisations across North America and Europe as of April 2025.

  • Phishing Platform 'Lucid' Behind Wave of iOS, Android SMS attacks - The 'Lucid' phishing-as-a-service (PhaaS) platform, operated by the Chinese 'XinXin group' since mid-2023, targets 169 entities across 88 countries through sophisticated smishing campaigns delivered via iMessage and rich communication services (RCS). Sold via Telegram on a subscription basis, Lucid provides threat actors with access to over 1,000 phishing domains, auto-generated phishing sites, and professional-grade spamming tools. The platform uses device farms and exploits flaws in Apple and Android systems to send 100,000 encrypted messages daily, bypassing spam filters and reducing operational costs. Victims are lured to fake sites impersonating legitimate services like Amazon, DHL, or government toll agencies to steal personal and financial data. The service also includes tools like credit card validators, lowering the barrier for cybercrime and enabling large-scale, well-organised phishing campaigns.

  • North Korea’s IT Operatives Are Exploiting Remote Work Globally - North Korean (DPRK) IT workers are increasingly infiltrating Western organisations by using false identities and operating across platforms like Upwork and Telegram, often seeking payment in cryptocurrency to obscure financial trails. While the United States (U.S.) remains a primary target, increased enforcement and verification challenges hve pushed DPRK operatives to expand into Europe, with personas discovered in Germany, Portugal, and the United Kingdom. These workers engage in a wide range of technical roles including web, blockchain, artificial intelligence, and CMS development, often using facilitators and fraudulent documentation to support their activities. Since late 2024, extortion tactics have emerged, with dismissed workers threatening to leak sensitive data, likely in response to growing legal pressure. The operation now spans a global ecosystem, exploiting remote work and BYOD policies to avoid detection.

  • Hunters International Shifts from Ransomware to Data Theft in Strategic Rebrand - The cybercrime group Hunters International, previously known for its ransomware operations, has announced a pivot to data theft, citing ransomware’s increasing risks and declining profitability. Operating since late 2023, the group claims this tactical shift allows for faster, less detectable attacks, leveraging stolen data for blackmail or resale on dark web markets. Their rebrand includes a new focus on stealthy infiltration techniques, such as exploiting unpatched vulnerabilities and using legitimate tools to blend into network traffic. With a history tied to the disrupted Hive ransomware gang, Hunters International now targets high-value organisations across North America and Europe, offering affiliates a suite of tools for data exfiltration and monetisation. This evolution reflects a broader trend among cybercrime groups adapting to heightened law enforcement scrutiny.

Shane Bell
Next

#NSBCS.067 - Beyond the Lock: Integrating Access Control for Operational Resilience