Colonial Pipeline just paid $4.4 million in ransom to a criminal group called DarkSide — and they had a security vendor. SolarWinds, a company that literally sold security monitoring tools, became the vector for one of the most devastating supply chain attacks in history. If massive organizations with million-dollar security budgets and partnerships with top-tier computer security companies can get breached this badly, something fundamental is broken in how we think about cybersecurity spending.
I've spent years watching organizations pour money into security products while ignoring the vulnerabilities those products can't fix. This post is the honest conversation your sales rep doesn't want you to have — what computer security companies actually deliver, where they fall short, and what you need to do to fill the gaps they leave behind.
The $4.88M Problem Computer Security Companies Can't Solve Alone
According to the IBM/Ponemon 2020 Cost of a Data Breach Report, the average data breach cost organizations $3.86 million. For the United States specifically, that number jumped to $8.64 million. Those numbers reflect organizations that, in most cases, already had security vendors in place.
Here's what I've seen over and over: companies buy endpoint detection, deploy a firewall, maybe add a SIEM — and then assume they're covered. The Verizon 2021 Data Breach Investigations Report tells a different story. 85% of breaches involved a human element. Phishing was present in 36% of breaches, up from 25% the prior year.
No product stops an employee from entering credentials on a convincing phishing page. No firewall blocks a phone call from a smooth-talking threat actor pretending to be from IT. Computer security companies sell technology. But the majority of breaches exploit people.
What Computer Security Companies Actually Provide
Let me be clear — I'm not saying security vendors are useless. They're essential. But you need to understand exactly what you're buying and, more importantly, what you're not.
Endpoint Detection and Response (EDR)
EDR tools monitor devices for suspicious activity and can isolate compromised machines. They're effective against known malware signatures and increasingly good at behavioral detection. But EDR doesn't help when an employee willingly hands over their password to a phishing site. The attacker logs in with legitimate credentials, and the EDR sees nothing unusual.
Managed Security Service Providers (MSSPs)
MSSPs monitor your network 24/7 and respond to alerts. They're valuable for organizations without an internal security operations center. But MSSPs are reactive by design. They respond to incidents after they've started. They can reduce dwell time, but they don't prevent the initial compromise — especially when that compromise is a social engineering attack.
Vulnerability Scanners and Penetration Testing
These tools and services find technical weaknesses in your infrastructure. Critical work. But the Verizon DBIR consistently shows that the human layer is exploited far more often than unpatched servers. You can have a perfectly patched network and still get breached because someone in accounting opened the wrong attachment.
Multi-Factor Authentication (MFA) Solutions
MFA is one of the most effective controls available. I recommend it to every organization I work with. But it's not bulletproof. Real-time phishing proxies can intercept MFA tokens. Attackers have also learned to bombard users with push notifications until someone accidentally approves one. MFA raises the bar significantly, but it doesn't eliminate the need for a trained workforce.
The Gap Between Products and Protection
The fundamental gap that computer security companies leave is the human one. Technology can't fully compensate for an untrained employee base. Here's what actually happens in my experience:
- An employee receives a convincing email that appears to come from Microsoft 365 asking them to re-authenticate.
- They click the link, land on a pixel-perfect credential theft page, and enter their username and password.
- The attacker now has valid credentials. If MFA isn't configured — or if the phishing kit captures the session token — they're inside.
- The MSSP sees a normal login from a slightly unusual location. Maybe it triggers a low-priority alert. Maybe it doesn't.
- Within hours, the attacker has accessed email, exfiltrated data, or deployed ransomware.
Every piece of technology in that chain did its job. The breach happened anyway because the employee wasn't trained to recognize the attack.
What Is the Most Important Thing Computer Security Companies Miss?
The single most overlooked element in organizational security is ongoing security awareness training. Not a one-time onboarding video. Not a yearly compliance checkbox. Continuous, practical training that evolves with the threat landscape.
CISA — the Cybersecurity and Infrastructure Security Agency — has repeatedly emphasized that human-focused security is foundational. Their guidance on defending against cyber threats puts awareness and training alongside technical controls as a core pillar of defense.
The reason is simple math. You might have 50 servers, but you have 500 employees. Each employee is an entry point. Each one makes dozens of security-relevant decisions every day — what to click, what to download, what to share, who to trust on the phone. No product monitors all of that. Only training changes the decision-making at the source.
Phishing Simulations: The Test Your Vendor Probably Isn't Running
One of the highest-ROI security activities I've seen is regular phishing simulation. You send realistic but safe phishing emails to your own employees and measure who clicks, who reports, and who enters credentials. Then you train based on the results.
Organizations that run consistent phishing awareness training programs see measurable improvement. Click rates drop. Report rates climb. Employees start flagging real attacks before they cause damage. It turns your workforce from your biggest vulnerability into an active detection layer.
The key word is consistent. A single simulation tells you almost nothing. Monthly or quarterly simulations, paired with immediate training for those who fail, create lasting behavioral change.
What Good Phishing Simulation Looks Like
- Realistic scenarios: Not obvious spam. Use templates that mirror actual credential theft campaigns — fake Microsoft login pages, DocuSign requests, payroll update notices.
- Immediate feedback: When someone clicks, they should see a training page right away. The teachable moment is most powerful when it's immediate.
- Progressive difficulty: Start with easier-to-spot phishes. Increase complexity over time as your workforce improves.
- No public shaming: The goal is learning, not punishment. Shaming creates fear and underreporting — exactly what threat actors rely on.
Building a Security Strategy That Actually Works
Here's the framework I recommend to organizations. It doesn't replace your security vendors — it makes them effective.
Step 1: Get Your Technical Baseline Right
Deploy MFA everywhere. Enable logging. Patch aggressively. Use EDR on all endpoints. Encrypt sensitive data at rest and in transit. This is table stakes. If your computer security companies aren't helping you do this, find ones that will.
Step 2: Adopt a Zero Trust Mindset
Zero trust means never assuming a user or device is safe just because they're inside your network. Verify identity continuously. Apply least-privilege access. Segment your network so a single compromised account can't reach everything. NIST Special Publication 800-207 lays out the zero trust architecture in detail.
Step 3: Train Every Human in the Chain
This is where most organizations underinvest. Every employee — from the C-suite to the newest intern — needs regular security awareness training. Not generic compliance content, but practical training on current threats: business email compromise, credential theft, ransomware delivery methods, social engineering tactics over phone and email.
A comprehensive cybersecurity awareness training program covers these threats and gives employees the skills to recognize and report them before damage is done.
Step 4: Test Your Defenses Regularly
Run phishing simulations. Conduct tabletop exercises. Test your incident response plan. The FBI's Internet Crime Complaint Center (IC3) reported $4.2 billion in cybercrime losses in 2020. The organizations that recover fastest are the ones that practiced before the real thing hit.
Step 5: Measure and Iterate
Track phishing simulation click rates over time. Monitor mean time to detect and respond. Review security incidents quarterly. If your metrics aren't improving, change your approach. Security is not a project — it's a continuous process.
The Vendor Question You Should Actually Be Asking
When evaluating computer security companies, most organizations ask: "What threats do you detect?" or "What's your response time?"
Those are fine questions. Here's a better one: "What percentage of breaches in your customer base originated from a human action, and what do you do about that?"
If the answer is "we sell a product" and nothing about training, awareness, or simulation, you're looking at an incomplete solution. The best security posture combines technology with a trained, vigilant workforce.
Why 2021 Is a Turning Point
The Colonial Pipeline ransomware attack in May 2021 brought cybersecurity to the front page of every newspaper. The SolarWinds breach in late 2020 exposed the fragility of supply chains. The Microsoft Exchange Server vulnerabilities exploited by Hafnium affected tens of thousands of organizations worldwide.
These aren't abstract threats anymore. The FBI IC3's 2020 report showed a 69% increase in total cybercrime complaints compared to 2019, with nearly 800,000 complaints filed. Ransomware alone increased by 20%.
This year has made one thing clear: technology alone doesn't cut it. Security vendors provide essential tools. But tools without trained operators are just expensive furniture. Your employees are either your first line of defense or your easiest attack surface. The difference is training.
Your Next Move
Audit your current security stack. Identify where you've invested in technology and where you've left the human layer exposed. Start a phishing simulation program that tests your employees with realistic scenarios monthly. Pair it with structured cybersecurity awareness training that keeps pace with current threat actor tactics.
Computer security companies will continue to build better products. Threat actors will continue to bypass those products by targeting people. The organizations that win this race are the ones that invest in both.