The Colonial Pipeline Just Proved Your Security Needs Security

On May 7, 2021, a single compromised password shut down 5,500 miles of fuel pipeline. Colonial Pipeline paid a $4.4 million ransom within hours. The attack didn't exploit some exotic zero-day. It walked through a legacy VPN account that lacked multi-factor authentication. One layer. One failure point. Catastrophe.

That's why computer security security isn't a redundant phrase — it's the entire philosophy you need to survive 2021's threat landscape. Securing your security means every control has a backup, every assumption gets challenged, and no single failure hands an attacker the keys to your kingdom.

This post breaks down exactly how to build layered defenses that hold when individual controls fail. I'm drawing from real breaches, current threat data, and the practical steps I've seen actually work in organizations ranging from five employees to five thousand.

What Is Computer Security Security, Really?

Think of it this way: computer security is the lock on your door. Computer security security is the deadbolt behind the lock, the camera watching the door, the alarm that triggers when the door opens unexpectedly, and the neighbor who calls you when a stranger is on your porch.

The concept maps directly to what the industry calls defense in depth. NIST's Cybersecurity Framework lays out five core functions — Identify, Protect, Detect, Respond, Recover — precisely because no single function is enough. If your protection fails, your detection must catch it. If detection fails, your response plan limits the blast radius. You can explore the full framework at NIST's official Cybersecurity Framework page.

In my experience, the organizations that get breached the hardest aren't the ones with zero security. They're the ones that trusted a single layer too much.

Why Single-Layer Defense Keeps Failing in 2021

The Numbers Are Brutal

The FBI IC3 2020 Internet Crime Report logged 791,790 complaints — a 69% increase over 2019. Reported losses exceeded $4.2 billion. Business email compromise alone accounted for $1.8 billion of that total. These aren't sophisticated nation-state attacks in most cases. They're social engineering, credential theft, and phishing campaigns that bypassed whatever single control the victim relied on.

One Password. One Pipeline. One Lesson.

Colonial Pipeline is the headline, but I've seen this pattern hundreds of times at smaller scale. A company invests heavily in a firewall but skips endpoint detection. Or they deploy antivirus but never train employees to recognize a phishing email. Or they implement multi-factor authentication on their email but leave their VPN wide open. Every gap is an invitation.

The Verizon 2021 Data Breach Investigations Report found that 85% of breaches involved a human element. That means your technical controls — no matter how expensive — are only as strong as the person clicking links at 4:47 PM on a Friday.

Building Real Computer Security Security: The Practical Framework

Here's the layered approach I recommend to every organization I work with. Each layer assumes the one before it can fail.

Layer 1: Know What You're Protecting

You can't secure what you haven't inventoried. Every device, every cloud instance, every SaaS application, every user account — cataloged. I've walked into organizations that didn't know they had 40% more internet-facing assets than they thought. Shadow IT is real. Forgotten test servers are real. That legacy VPN account at Colonial Pipeline was real.

  • Run automated asset discovery monthly at minimum.
  • Maintain a current network diagram — not the one from 2018.
  • Classify data by sensitivity. Not everything needs the same protection level.

Layer 2: Harden Everything Before an Attacker Touches It

This is your traditional security layer — patching, configuration management, access controls. But here's where computer security security thinking changes your approach: you harden assuming that an attacker will eventually get past these controls.

  • Patch critical vulnerabilities within 48 hours. The Microsoft Exchange ProxyLogon vulnerabilities disclosed in March 2021 were exploited within hours of disclosure. CISA issued an emergency directive for a reason.
  • Enforce least privilege access. No one gets admin rights they don't actively need.
  • Implement multi-factor authentication everywhere — not just email. VPN, cloud platforms, admin consoles, everything.
  • Disable legacy protocols. If it doesn't support MFA, it shouldn't face the internet.

Layer 3: Train the Humans

I'll say it plainly: if you're not running regular security awareness training, you're leaving your biggest attack surface completely undefended. Threat actors don't need to beat your firewall when they can beat your receptionist.

Phishing remains the top initial access vector in the Verizon DBIR year after year. Credential theft through phishing simulation exercises has shown measurable improvement in organizations that run them consistently. Your employees aren't the weakest link — they're the most undertrained one.

If you're looking for a place to start, our cybersecurity awareness training course covers the fundamentals every employee needs. For organizations ready to test and improve their resilience against email-based attacks, our phishing awareness training for organizations provides hands-on simulation and education that maps directly to real-world threats.

Layer 4: Detect What Gets Through

Prevention is ideal. Detection is mandatory. If the Colonial Pipeline attack taught us anything, it's that dwell time — the gap between initial compromise and discovery — determines the damage.

  • Deploy endpoint detection and response (EDR) on every workstation and server.
  • Monitor authentication logs for impossible travel, unusual hours, and failed MFA attempts.
  • Set up alerts for lateral movement indicators: new service installations, remote access tool execution, credential dumping tools.
  • Conduct regular log reviews. Automated alerts catch known patterns. Human analysts catch the creative stuff.

Layer 5: Prepare to Respond Before You Need To

An incident response plan that lives in a drawer is not a plan. It's a document. I've watched organizations lose days during active ransomware incidents because nobody knew who had authority to disconnect systems or who to call first.

  • Write the plan. Review it quarterly.
  • Run tabletop exercises at least twice a year. Walk through a ransomware scenario, a data breach notification, a compromised admin account.
  • Pre-establish relationships with outside incident response firms, legal counsel, and your cyber insurance carrier.
  • Maintain offline backups. Test restores monthly. The DarkSide ransomware variant that hit Colonial Pipeline specifically targets backup infrastructure.

Layer 6: Adopt Zero Trust Principles

Zero trust isn't a product you buy. It's an architecture philosophy: never trust, always verify. Every access request gets authenticated, authorized, and encrypted — regardless of where it originates. Inside the network doesn't mean trusted.

This approach directly supports computer security security because it eliminates the idea of a trusted zone. If a threat actor compromises one endpoint, zero trust architecture limits what that endpoint can reach.

  • Microsegment your network. Database servers shouldn't be reachable from every workstation.
  • Implement conditional access policies tied to device health, user identity, and request context.
  • Encrypt data in transit and at rest, even on internal networks.

How Do You Secure Your Security Controls Themselves?

This is the question most organizations skip — and it's the heart of computer security security. Your security tools are targets too. If an attacker compromises your antivirus management console, they can disable protection across every endpoint. If they access your SIEM, they can delete logs covering their tracks.

  • Treat security tool admin accounts as Tier 0 assets. MFA, privileged access workstations, session recording — the works.
  • Monitor your monitoring. Set independent alerts for when security agents go offline or management consoles are accessed outside normal patterns.
  • Separate security infrastructure from the general network. Your SIEM should not be on the same VLAN as user workstations.
  • Keep offline copies of critical logs. If an attacker wipes your centralized logging, offline copies preserve the evidence.

The SolarWinds supply chain attack discovered in December 2020 showed exactly what happens when a security tool becomes the attack vector. A compromised update to SolarWinds Orion — a network monitoring platform — gave threat actors access to 18,000 organizations, including multiple U.S. government agencies. Your security tools need their own security.

The $4.88M Reason to Layer Your Defenses Now

IBM's Cost of a Data Breach Report 2020 put the global average cost of a breach at $3.86 million. For U.S. organizations, that average hit $8.64 million. Breaches with a lifecycle longer than 200 days cost significantly more than those contained quickly. Every layer you add shrinks that lifecycle.

Organizations that had fully deployed security automation — layered detection, automated containment, orchestrated response — saved an average of $3.58 million per breach compared to those with no automation. That's not a theoretical benefit. It's the measurable result of having security behind your security.

Where Most Organizations Should Start Tomorrow

If your head is spinning, here's the priority list I give to every organization I advise:

  • This week: Enable multi-factor authentication on every external-facing system. Every single one.
  • This month: Launch a phishing awareness training program that includes regular simulations.
  • This quarter: Deploy endpoint detection and response. Antivirus alone hasn't been sufficient for years.
  • Next quarter: Run your first tabletop incident response exercise. Write the plan if you don't have one.
  • Ongoing: Invest in continuous security awareness training for every employee, including executives and IT staff.

Every item on that list adds a layer. Every layer makes the attacker's job harder. And when one layer fails — because eventually it will — the next one holds.

Security Isn't a State. It's a Stack.

Colonial Pipeline had security. They had a password on that VPN. What they didn't have was security behind that security — no MFA, no monitoring that flagged a dormant account suddenly pulling data, no segmentation that would have contained the blast.

Computer security security means building your defenses with the assumption that each one will be tested and some will fail. It means watching your watchers, backing up your backups, and training the humans who interact with every system you own. The organizations that survive 2021's threat landscape won't be the ones with the biggest security budgets. They'll be the ones with the most layers — and the discipline to maintain them all.