The Blind Spot That Computer Security Companies Sell Around

In March 2022, Okta — one of the most prominent identity management vendors in the world — confirmed that the Lapsus$ threat actor group had compromised a third-party support engineer's laptop and accessed internal systems. An identity security company, breached through a human. That single incident should tell you everything you need to know about what computer security companies often leave out of their pitch decks.

I've spent years watching organizations stack vendor after vendor into their security architecture, only to get breached through an employee clicking a well-crafted phishing email. The hard truth? No product replaces an educated workforce. And most computer security companies aren't incentivized to tell you that.

This post isn't anti-vendor. I use security tools every day. But I want to walk you through the gaps that exist between what vendors promise and what actually stops breaches — and what you can do right now to close those gaps without writing another six-figure check.

What Computer Security Companies Actually Do Well

Let's give credit where it's due. Endpoint detection and response (EDR) platforms, next-gen firewalls, SIEM solutions, and cloud security posture management tools have genuinely advanced the field. They automate detection at scale, correlate events across millions of data points, and reduce mean time to response.

The 2022 Verizon Data Breach Investigations Report found that 40% of ransomware incidents involved the use of desktop sharing software, and another significant portion used email as the initial vector. Tools that monitor these channels catch real threats every day. That matters.

But here's the problem I keep seeing. Organizations treat tool deployment as the finish line. They check the compliance box, renew the subscription, and move on. Meanwhile, the threat actor isn't trying to beat your firewall — they're trying to beat your people.

The Tool Stack Illusion

I call it the tool stack illusion: the belief that enough layered products equal comprehensive security. In reality, the 2022 Verizon DBIR reported that 82% of breaches involved the human element — including social engineering, errors, and misuse. No combination of vendor products fully addresses that statistic.

Your security tools are essential. But they're the seatbelt, not the driver. If the driver is impaired, the seatbelt only does so much.

The $4.88M Gap Between Products and People

IBM's Cost of a Data Breach Report 2022 pegged the average cost of a data breach at $4.35 million globally. In the United States, that number climbed to $9.44 million. These figures account for detection, escalation, notification, lost business, and regulatory fines.

Here's the number that should keep you up at night: organizations with high levels of security awareness training and incident response planning saved an average of $2.66 million per breach compared to those without. That's not a rounding error. That's a material difference that directly impacts whether your business survives a major incident.

Computer security companies sell you products that detect and respond. What they rarely sell — because there's less recurring revenue in it — is the human layer that prevents the breach from happening in the first place.

Why Social Engineering Bypasses Your Entire Stack

Social engineering works because it targets decision-making, not infrastructure. A business email compromise (BEC) attack doesn't trigger your IDS. A voice phishing call doesn't hit your email gateway. A carefully researched pretexting attack bypasses every technical control you own.

The FBI's 2021 Internet Crime Report documented adjusted losses of nearly $2.4 billion from BEC and email account compromise alone. That was the single highest-loss crime type — ahead of ransomware, ahead of credential theft, ahead of everything else.

Your vendors can't fix that with a software update. Your employees can fix it with training.

What Your Vendor Checklist Is Missing

When I audit an organization's security posture, I always ask the same five questions. The answers reveal whether the vendor stack is actually protecting the business or just decorating it.

  • When was your last phishing simulation? If the answer is "never" or "over a year ago," your email security gateway is doing all the heavy lifting — and it will eventually miss something.
  • Can your employees identify a BEC attempt? Most can spot a Nigerian prince scam. Few can spot a spoofed email from "the CEO" requesting a wire transfer.
  • Do you have a documented incident response plan that's been tested? Owning a SIEM means nothing if nobody knows the playbook when it alerts.
  • Is multi-factor authentication enforced on all critical systems? MFA remains one of the most effective controls against credential theft, and it costs a fraction of most enterprise tools.
  • Are your people trained on zero trust principles? Zero trust isn't just a network architecture — it's a mindset. Verify before you trust. Every time.

If you answered poorly on more than two of these, your tool stack has gaps no vendor will close for you.

How to Evaluate Computer Security Companies Honestly

I'm not telling you to stop buying security products. I'm telling you to buy smarter and fill the gaps yourself.

Step 1: Map Your Actual Risk Surface

Before you talk to any vendor, document where your data lives, who touches it, and how it moves. Most breaches follow the data, not the devices. CISA's Cyber Essentials guidance is a solid starting point for small and mid-sized organizations that want a structured framework without drowning in NIST 800-53 controls.

Step 2: Prioritize the Human Layer

Your employees are either your greatest vulnerability or your strongest sensor network. The difference is training. Not annual compliance videos — real, ongoing security awareness training that uses current threat scenarios.

Start with a comprehensive cybersecurity awareness training program that covers social engineering, credential hygiene, safe browsing, and incident reporting. Then layer in targeted phishing awareness training for your organization that runs simulations, tracks click rates, and delivers just-in-time coaching when someone falls for a test.

In my experience, organizations that run monthly phishing simulations see click rates drop from 30%+ to under 5% within six months. That's a measurable reduction in your attack surface that no firewall can match.

Step 3: Demand Transparency From Vendors

Ask every computer security company you evaluate these three questions:

  • What percentage of your customers experienced a breach while using your product in the last 12 months?
  • What does your product not protect against?
  • How does your tool integrate with our incident response workflow?

Most vendors won't answer the first question. That's fine — their reaction tells you everything. The second question separates honest vendors from the ones selling silver bullets. The third question reveals whether the product creates operational value or just dashboards.

Step 4: Implement MFA Before You Buy Anything Else

If you haven't deployed multi-factor authentication across email, VPN, cloud services, and administrative accounts, stop reading vendor brochures and do that first. MFA blocks the vast majority of credential theft attacks. Microsoft reported in 2019 that MFA blocks 99.9% of automated account compromise attacks. That data still holds.

This is the single highest-ROI security control available to any organization, regardless of size.

Step 5: Build a Zero Trust Mindset, Not Just a Zero Trust Architecture

Zero trust has become a marketing term that every vendor pastes on their product page. But the actual principle — never trust, always verify — is a cultural shift, not a product purchase.

Train your team to verify unexpected requests through a second channel. Confirm wire transfers by phone. Question unusual login alerts. Report suspicious emails instead of deleting them. That behavioral shift is zero trust at the human layer, and it costs you nothing but time.

What Actually Stops Breaches: The Data Is Clear

Let me put the evidence in one place so there's no ambiguity about what works.

The 2022 Verizon DBIR: 82% of breaches involved the human element. Social engineering attacks increased significantly year over year, with phishing present in 36% of all breaches — up from prior years.

The FBI IC3 2021 report: $6.9 billion in total reported cybercrime losses. BEC led all categories in dollar losses. Phishing led all categories in complaint volume with 323,972 reported incidents.

IBM's 2022 Cost of a Data Breach Report: Organizations with fully deployed security AI and automation saved $3.05 million per breach. But organizations with trained incident response teams and tested IR plans saved $2.66 million — without requiring seven-figure technology investments.

The pattern is unmistakable. Technology helps. But trained, aware humans remain the most cost-effective control in your entire security program.

Frequently Asked: Do I Still Need Computer Security Companies?

Yes. Absolutely. Endpoint protection, network monitoring, vulnerability scanning, penetration testing, and managed detection and response all play critical roles. The point isn't to abandon tools — it's to stop pretending tools are enough.

Think of it this way: you need locks on your doors, but you also need your employees to stop propping them open. The best security posture combines strong technical controls with continuous human training.

If your organization has deployed tools but hasn't invested in ongoing security awareness education, you've built half a wall. Threat actors only need to find the half you left open.

Your Move: Close the Human Gap This Week

Here's what I'd do if I walked into your organization on Monday morning:

  • Day 1: Audit MFA coverage. If it's not on email and VPN, deploy it immediately.
  • Day 2: Enroll your team in a cybersecurity awareness training course that covers the threats you're actually facing in 2022 — BEC, ransomware, credential phishing, and smishing.
  • Day 3: Launch your first phishing simulation. Baseline your click rate. Don't punish anyone — use the data to target your training.
  • Day 4: Review your incident response plan. If you don't have one, write a one-page version that covers who to call, how to isolate, and when to escalate.
  • Day 5: Call your existing vendors and ask what their products don't cover. Fill those gaps with process and training, not more products.

Computer security companies will always have a role in your defense strategy. But the organizations that survive breaches in 2022 are the ones that invest equally in their people. The data proves it. The breaches confirm it. The only question is whether you'll act on it before a threat actor makes the decision for you.