Colonial Pipeline Just Showed Us What Happens Without a Real Computer Security Service

On May 7, 2021, a single compromised password shut down the largest fuel pipeline in the United States. Colonial Pipeline went dark. Gas stations across the Southeast ran dry. The company paid a $4.4 million ransom to a threat actor group called DarkSide — all because of one stolen credential and a VPN that lacked multi-factor authentication.

If you're shopping for a computer security service right now, this incident should be your wake-up call. It's not about firewalls. It's not about antivirus software. It's about layers — and most organizations are missing the ones that matter most.

I've spent years watching companies pour money into security tools while ignoring the human element. The Verizon 2021 Data Breach Investigations Report found that 85% of breaches involved a human element — phishing, credential theft, social engineering, or simple errors. No computer security service in the world will save you if your people are clicking every link that lands in their inbox.

This post breaks down what actually works, what's a waste of money, and where to start if you're serious about protecting your organization in 2021.

What a Computer Security Service Should Actually Include

Here's what I tell every business owner and IT director who asks me what to look for: if a provider can't explain how they address human risk, walk away. Tools matter. But people are the attack surface that threat actors exploit most often.

A legitimate computer security service in 2021 should cover at least these five areas:

  • Security awareness training — ongoing, not once a year
  • Phishing simulation and testing — regular, measured, and tied to real metrics
  • Endpoint detection and response (EDR) — not just traditional antivirus
  • Multi-factor authentication (MFA) — on every external-facing system, no exceptions
  • Incident response planning — a documented, rehearsed plan your team can execute under pressure

If your current provider isn't touching all five, you have gaps. And gaps are where ransomware operators and credential thieves live.

The Human Firewall Isn't Optional

I've reviewed post-breach forensics for organizations that had excellent perimeter security. Firewalls configured correctly. Intrusion detection humming along. And still, an employee clicked a phishing email, entered their credentials on a spoofed login page, and gave a threat actor the keys to the kingdom.

The FBI's Internet Crime Complaint Center (IC3) reported over $4.2 billion in losses from cybercrime in 2020, with business email compromise and phishing leading the pack. You can read the details in their 2020 Internet Crime Report. These aren't exotic zero-day attacks. They're social engineering — and they work because employees aren't trained to spot them.

That's why any serious computer security service must include cybersecurity awareness training as a foundational layer. Not a checkbox exercise. Real, ongoing education that changes behavior.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2020 Cost of a Data Breach Report pegged the global average cost of a data breach at $3.86 million. For U.S. companies, that number jumped to $8.64 million. Healthcare was even worse.

Most of these breaches didn't start with a sophisticated attack. They started with stolen credentials, misconfigured cloud storage, or a phishing email. The boring stuff. The stuff a well-implemented security service catches before it becomes a headline.

Here's what I've seen repeatedly: organizations treat security as a technology purchase. They buy a firewall, install endpoint protection, maybe set up a SIEM, and call it done. Then a social engineering attack walks right through the front door because nobody trained the receptionist, the finance team, or the CEO.

Why Phishing Simulations Are Non-Negotiable

Phishing simulation isn't about catching employees doing something wrong. It's about building muscle memory. When your team sees a suspicious email in a simulation, they learn to pause. When they see a real one, that pause saves your organization.

I've watched click rates drop from 30% to under 5% in organizations that run monthly phishing simulations combined with immediate, contextual training. That's not theory — that's measurable risk reduction.

If you're looking to build this capability, phishing awareness training designed for organizations gives your team the repetition and feedback loop they need. It's one of the highest-ROI investments in your security stack.

What Does a Computer Security Service Cost?

This is the question I get most often, so let me answer it directly.

A computer security service typically costs between $100 and $250 per user per month for managed security services, depending on scope. That includes monitoring, endpoint protection, vulnerability management, and some level of incident response. Security awareness training platforms add $15 to $50 per user per year. Phishing simulation tools are often bundled or available separately at similar price points.

The real question isn't cost — it's cost compared to what? A ransomware attack averages $1.85 million in total remediation costs, according to Sophos's 2021 State of Ransomware report. That number includes downtime, recovery, lost business, and ransom payments. For a 200-person company spending $3,000 a month on managed security, you're looking at $36,000 a year versus a potential seven-figure loss.

The math isn't close.

Where Small Businesses Get It Wrong

Small businesses often assume they're not targets. The data says otherwise. The Verizon DBIR consistently shows that small businesses represent a significant percentage of breach victims. Threat actors automate their attacks — they don't care if you have 20 employees or 20,000. If your credentials are exposed and your VPN doesn't require MFA, you're a target.

I've seen small businesses hit with ransomware that had no backups, no incident response plan, and no way to recover. Some of them didn't survive. A basic computer security service — even a lean one — would have prevented most of those incidents.

Zero Trust: The Framework Your Security Service Should Follow

If your security provider isn't talking about zero trust in 2021, they're behind. The concept is simple: never trust, always verify. Every user, every device, every connection gets authenticated and authorized before accessing resources.

NIST published their Zero Trust Architecture guidelines (SP 800-207) in August 2020, and it's quickly becoming the standard framework for modern security architecture. The Colonial Pipeline breach is a textbook example of what happens without it — a single compromised credential gave an attacker lateral movement across the network with no additional verification.

Zero trust isn't a product you buy. It's a design philosophy. Your computer security service should be helping you implement it incrementally: MFA first, then network segmentation, then least-privilege access controls, then continuous monitoring.

MFA: The Single Cheapest Security Win

Multi-factor authentication stops credential theft cold in most cases. Microsoft reported in 2019 that MFA blocks 99.9% of automated account compromise attacks. Yet in 2021, I still encounter organizations — large ones — that don't require MFA for email, VPN, or cloud services.

If you do nothing else after reading this post, turn on MFA everywhere. It's the single most impactful change you can make today.

How to Evaluate a Computer Security Service Provider

I've helped organizations evaluate dozens of security providers. Here's my shortlist of questions that separate the real ones from the sales pitches:

  • Do you provide regular phishing simulations? If the answer is no, or "we can add that," keep looking.
  • What does your incident response process look like? They should be able to describe it in specific steps, with defined SLAs.
  • How do you measure security improvement over time? Look for metrics: phishing click rates, mean time to detect, vulnerability remediation speed.
  • Do you include security awareness training? This should be baked in, not an upsell.
  • Can you explain your approach to zero trust? If they look confused, that tells you everything.
  • What happens when — not if — we have a breach? The answer should involve a specific, documented plan, not vague reassurances.

Red Flags to Watch For

Run from any provider that guarantees you won't be breached. No one can promise that. Run from anyone who focuses exclusively on technology without addressing the human element. And run from anyone who can't show you real data from their existing clients — anonymized is fine, but they should have metrics to share.

Building Your Own Security Foundation Today

You don't need a six-figure contract to start improving your security posture right now. Here's where to begin:

Step 1: Enable MFA on everything. Email, VPN, cloud apps, admin consoles. Everything. Today.

Step 2: Start security awareness training. Get your employees through a structured cybersecurity awareness training program that covers phishing, social engineering, password hygiene, and data handling. Do it this month, not next quarter.

Step 3: Run phishing simulations. Baseline your organization's click rate with a phishing awareness training program, then track improvement monthly. This is how you measure whether your training actually works.

Step 4: Review your backups. Can you restore from backup if ransomware encrypts every system you have? Test it. Actually test it. A backup you've never restored from is a hope, not a plan.

Step 5: Write an incident response plan. CISA offers excellent templates and guidance at cisa.gov. Your plan should define roles, communication chains, containment procedures, and recovery steps. Then rehearse it.

The Threat Landscape Isn't Slowing Down

We're five months into 2021, and we've already seen the SolarWinds supply chain attack aftermath, the Microsoft Exchange Server zero-day exploitation by Hafnium, and now Colonial Pipeline. Ransomware gangs are operating like professional businesses — with customer service portals, negotiation teams, and affiliate programs.

This isn't a future problem. It's a right-now problem. Every week you operate without a genuine computer security service — whether internal or external — is a week you're gambling with your organization's survival.

I've watched too many organizations learn this lesson after the breach. After the ransom payment. After the FTC investigation. After the customer notification letters. The time to act was yesterday. The next best time is today.

Start with the basics. Train your people. Implement MFA. Test your defenses. Build from there. Because the threat actors targeting your organization right now? They already started.