Re: non BCC - the gift that keeps on giving
I wouldn't call KnowBe4 "a security snakeoil company". While they're heavy on the self-promotion (but then you can unsubscribe), they provide a reasonably competent version of a couple of useful services: phish testing and employee email-security training. Those do seem to be productive, and contracting with a vendor like KB4 is generally cheaper and less hassle than developing them in-house.
It's not like KB4 are peddling magic encryption or the like.
And while this incident provides a rich vein of schadenfreude, it doesn't really reflect on the quality of KB4's offerings. For one thing, Reply-All misuse isn't one of the main vectors their training targets, as far as I remember; and for another, they don't promise they can train all your employees to perfection, so it's not reasonable to expect perfection from theirs, either.
Biting the hand that feeds IT
