The Colonial Pipeline Just Proved Your Software Isn't Enough

On May 7, 2021, a single compromised password shut down the largest fuel pipeline in the United States. Colonial Pipeline's systems went dark, gasoline shortages spread across the Southeast, and a ransomware gang called DarkSide walked away with a $4.4 million ransom payment. The company had computer security software in place. Firewalls, endpoint tools, monitoring — the usual stack. None of it mattered because a threat actor got in through a legacy VPN account that lacked multi-factor authentication.

That's the reality I keep trying to explain to organizations: your security tools are only as strong as the humans and policies behind them. If you're searching for the right computer security software, you're asking the right question. But you're only asking half of it.

This post breaks down which tools actually matter in 2021, which ones are overrated, and — critically — why software without training is like a deadbolt on an open door.

What Computer Security Software Actually Does (and Doesn't Do)

Let's get specific. When people say "computer security software," they usually mean one of these categories:

  • Antivirus / Anti-malware: Scans files and processes for known malicious signatures and suspicious behavior.
  • Firewalls: Controls inbound and outbound network traffic based on rules.
  • Endpoint Detection and Response (EDR): Monitors endpoints for advanced threats, provides investigation and response capabilities.
  • Email Security Gateways: Filters phishing emails, malicious attachments, and spam before they reach inboxes.
  • SIEM (Security Information and Event Management): Aggregates logs, correlates events, and generates alerts across your environment.

Each of these tools serves a purpose. None of them is a silver bullet. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element — credential theft, social engineering, phishing, or simple errors. Software can't patch human judgment.

The 85% Problem: Why Tools Alone Fail

I've done incident response for organizations that had six-figure security stacks. Premium EDR. Next-gen firewalls. SIEM with 24/7 monitoring. They still got breached. Every single time, the root cause was the same: someone clicked a link, reused a password, or fell for a social engineering attack.

The Verizon DBIR data backs this up year after year. You can read the 2021 Verizon Data Breach Investigations Report yourself — phishing was present in 36% of breaches this year, up from 25% last year. That's a massive jump.

Computer security software catches known threats. It flags suspicious behavior. But a well-crafted spear-phishing email that uses legitimate services and clean URLs? Your email gateway might let it sail right through. Your EDR won't trigger because the user willingly entered their credentials on a fake login page. No malware was ever delivered.

That's why I tell every organization: the most important layer in your security stack isn't software. It's cybersecurity awareness training for every employee.

Building a Layered Defense That Actually Works

Layer 1: Endpoint Protection That Goes Beyond Antivirus

Traditional antivirus is table stakes. If you're still relying on signature-based scanning alone, you're fighting 2021 threats with 2005 technology. Modern endpoint protection platforms (EPP) and EDR tools use behavioral analysis, machine learning, and threat intelligence to catch zero-day attacks and fileless malware.

Look for solutions that offer real-time monitoring, automated response capabilities, and integration with your broader security ecosystem. But remember — even the best EDR tool can't stop an employee from handing over credentials to a convincing phishing page.

Layer 2: Email Security With Phishing-Specific Defenses

Email remains the #1 attack vector. Your email security gateway should do more than block spam. It needs URL rewriting, attachment sandboxing, impersonation detection, and DMARC/DKIM/SPF enforcement.

But here's what I've seen in practice: even with all those controls, roughly 10-15% of phishing emails still reach inboxes. That's not a failure of the product — it's the nature of the threat. Attackers test their campaigns against popular security tools before launching them. They know what gets through.

That remaining 10-15% is why phishing awareness training for your organization isn't optional. It's your last line of defense, and often your most effective one.

Layer 3: Multi-Factor Authentication Everywhere

Colonial Pipeline's breach happened through a VPN account with a compromised password and no MFA. That one missing control cost them $4.4 million in ransom alone — not counting operational losses, reputational damage, and federal scrutiny.

Multi-factor authentication should be enabled on every account that supports it. Every single one. VPN, email, cloud applications, admin consoles, financial systems. CISA has been shouting this from the rooftops. Their guidance on multi-factor authentication is clear: MFA is one of the most impactful steps any organization can take.

No computer security software compensates for missing MFA. Period.

Layer 4: Network Segmentation and Zero Trust

Zero trust isn't a product you buy. It's an architecture philosophy: never trust, always verify. Every user, device, and connection is treated as potentially compromised.

In practice, this means network segmentation (so a breach in one area can't spread everywhere), least-privilege access controls, continuous authentication, and micro-segmentation where possible. The ransomware that hit Colonial Pipeline spread because the IT and OT networks weren't adequately segmented. A zero trust approach limits blast radius.

Layer 5: Security Awareness Training

This is where the real ROI lives. According to the Ponemon Institute's 2020 Cost of a Data Breach Report, organizations with security awareness training programs had breach costs that were $247,758 lower on average. Training doesn't just reduce risk — it measurably reduces financial impact.

Effective training includes regular phishing simulations, role-based education, and continuous reinforcement — not a once-a-year compliance video that everyone clicks through. Your employees need to recognize credential theft attempts, pretexting calls, and business email compromise scams in real time.

What's the Best Computer Security Software in 2021?

I get this question constantly. Here's my honest answer: the best computer security software is the combination that covers your specific risk profile, integrates well, and gets maintained properly. A $200,000 SIEM that nobody tunes is worse than a $20,000 one that's actively monitored.

That said, here are the non-negotiables for any organization in 2021:

  • Modern EDR (not just legacy antivirus) on every endpoint
  • Email security gateway with phishing-specific capabilities
  • MFA on every externally-accessible account and all privileged accounts
  • DNS filtering to block known malicious domains
  • Patch management — automated where possible, tracked where not
  • Backup and recovery with offline/immutable copies (ransomware defense)
  • Security awareness training with ongoing phishing simulations

Skip any one of these and you've left a gap that threat actors will find.

The FTC Expects You to Do More Than Install Software

If you think installing computer security software satisfies your legal obligations, think again. The FTC has brought enforcement actions against companies that had "reasonable" technical controls but failed on training, policies, or access management.

In its action against Lightyear Dealer Technologies in 2019, the FTC cited failures in employee training and access controls — not just missing software. The message is clear: compliance requires a comprehensive approach. Technical tools plus human training plus documented policies.

NIST's Cybersecurity Framework lays this out explicitly. The five core functions — Identify, Protect, Detect, Respond, Recover — span technology, people, and process. You can't check those boxes with software alone.

How to Evaluate Whether Your Current Stack Is Working

Here's a quick self-assessment I run with organizations:

  • When was the last time you tested your phishing defenses? If you haven't run a phishing simulation in the past 90 days, you don't know where you stand. Start with structured phishing awareness training to establish a baseline.
  • Can you detect lateral movement? If an attacker compromises one workstation, do your tools alert on unusual internal traffic? Most don't, by default.
  • Is MFA enabled on all remote access? Check VPN, RDP, cloud admin portals, and email. If any of those lack MFA, fix it today.
  • Are your backups tested? Having backups isn't enough. When did you last restore from them? Ransomware operators now target backup systems specifically.
  • Do employees know what to report? If your team doesn't have a clear, simple process for reporting suspicious emails and calls, your detection capability has a massive blind spot.

Ransomware in 2021: Software Meets Its Match

Ransomware has evolved far beyond what traditional computer security software was designed to handle. Groups like DarkSide, REvil, and Conti now run double-extortion campaigns — they encrypt your data and exfiltrate it, threatening public release if you don't pay.

The FBI's Internet Crime Complaint Center (IC3) reported over $29.1 million in adjusted losses from ransomware in 2020, and 2021 is already on pace to shatter that number. The Colonial Pipeline attack alone exceeded the entire previous year's reported total.

Your EDR might catch known ransomware variants. It might not catch a new one. Your backups are critical, but only if they're offline and tested. And the initial access? In most cases, it starts with a phishing email or a compromised credential. Which brings us right back to training.

The Real ROI: Software + Training Together

I'm not anti-software. I recommend and deploy security tools every week. But I've watched too many organizations pour their entire budget into products and leave nothing for the people side.

The organizations that get breached the least do both. They run modern endpoint protection, enforce MFA everywhere, segment their networks, and — just as importantly — they train their people continuously. They run phishing simulations monthly. They build a culture where reporting a suspicious email is rewarded, not ignored.

If you're building or rebuilding your security program, start with the fundamentals. Get your team through comprehensive cybersecurity awareness training so they understand the threats they face every day. Then layer in the right tools to support them.

Software protects systems. Training protects the humans who use them. You need both, and in 2021, the threat landscape won't forgive you for choosing only one.