The Colonial Pipeline Hack Changed the Conversation
On May 7, 2021, a single compromised password shut down the largest fuel pipeline in the United States. Colonial Pipeline paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware group. Gas stations across the Southeast ran dry. Panic buying erupted. And the root cause? A legacy VPN account without multi-factor authentication.
That's the state of computer security right now. The threats aren't theoretical. They're shutting down critical infrastructure, draining bank accounts, and crippling hospitals mid-pandemic. If you're reading this because you want to know what actually works to protect your organization — or yourself — you're in the right place.
I've spent years watching organizations pour money into firewalls and endpoint tools while ignoring the fundamentals. This post covers what the data says actually matters, what the most dangerous threats look like in 2021, and the specific steps that stop real attacks.
Computer Security Isn't a Product — It's a Practice
Here's something the security industry doesn't love to admit: you can't buy your way to safety. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element. That means someone clicked a phishing link, reused a password, or misconfigured a server. No product catches all of that.
Effective computer security is a combination of technology, training, and process. You need tools, yes. But you also need people who know how to spot a social engineering attack. You need processes that assume breach and limit blast radius. That's the core of a zero trust approach — and it's not optional anymore.
The Human Element Isn't a Weakness — It's an Attack Surface
I've seen organizations with seven-figure security budgets get compromised because an executive fell for a spear-phishing email. Threat actors don't care about your firewall if they can trick your CFO into wiring $200,000 to a spoofed vendor account.
The FBI's Internet Crime Complaint Center (IC3) reported that Business Email Compromise (BEC) accounted for over $1.8 billion in losses in 2020 alone — dwarfing every other category of cybercrime. That number is based on reported losses. The real figure is almost certainly higher.
Training your people isn't a checkbox exercise. It's a security control. A good cybersecurity awareness training program turns your employees from targets into sensors. They become your early warning system.
The Four Threats Dominating 2021
Every year, the threat landscape shifts. Here's what's actually hitting organizations hardest right now, based on incident data from the first half of 2021.
1. Ransomware Is an Epidemic
Colonial Pipeline wasn't an outlier. The Irish Health Service Executive was hit by the Conti ransomware group on May 14, 2021, forcing hospitals to cancel appointments and revert to paper records. JBS, the world's largest meat processor, was hit days later. Ransomware gangs are operating like businesses — with customer service portals, affiliate programs, and negotiation teams.
The entry points are almost always the same: phishing emails, exposed Remote Desktop Protocol (RDP) ports, and unpatched VPN appliances. If you have any of those three, you are a target.
2. Phishing and Credential Theft
Phishing remains the number one initial access vector. The Verizon DBIR has confirmed this consistently. In 2021, attacks have become more sophisticated — using real Microsoft 365 login pages, exploiting OAuth tokens, and abusing legitimate cloud services to host malicious content.
Credential theft is especially dangerous because it's quiet. A threat actor with valid credentials doesn't trigger the alarms that malware does. They log in like a normal user, move laterally, and exfiltrate data before anyone notices.
Running regular phishing simulations for your organization is one of the most effective ways to measure and reduce this risk. You can't improve what you don't measure.
3. Supply Chain Attacks
The SolarWinds breach, disclosed in December 2020, compromised at least 18,000 organizations — including multiple U.S. government agencies. Attackers inserted a backdoor into a legitimate software update. Victims installed it themselves.
This wasn't a failure of perimeter security. It was a failure of trust. And it's why the zero trust model has moved from buzzword to executive priority. You can't implicitly trust any software, any user, or any network segment.
4. Exploitation of Remote Work Infrastructure
The mass shift to remote work in 2020 created a massive expansion of the attack surface. VPN concentrators, cloud collaboration tools, and personal devices became critical infrastructure overnight. Many organizations rushed to enable remote access without adequate security controls.
In 2021, we're seeing the consequences. The Microsoft Exchange Server vulnerabilities disclosed in March 2021 (exploited by the Hafnium group) affected tens of thousands of organizations. CISA issued an emergency directive ordering federal agencies to patch immediately. Many private-sector organizations didn't patch for weeks.
What Does Good Computer Security Look Like in Practice?
Enough about what's going wrong. Here's what I recommend to every organization I work with — whether you have 10 employees or 10,000.
Enable Multi-Factor Authentication Everywhere
If you do one thing after reading this post, enable MFA on every account that supports it. Email. VPN. Cloud services. Admin consoles. All of them.
The Colonial Pipeline breach exploited a VPN account that lacked MFA. Microsoft has stated that MFA blocks 99.9% of automated account compromise attacks. It's the single highest-ROI security control available.
Patch Fast, Patch Relentlessly
The Hafnium Exchange attacks exploited vulnerabilities that had patches available. Many victims simply didn't apply them quickly enough. Your patching cadence should be measured in days for critical vulnerabilities, not weeks or months.
Subscribe to CISA's Known Exploited Vulnerabilities catalog and treat every entry as a fire drill. If a vulnerability is being actively exploited in the wild, you don't have the luxury of waiting for your next maintenance window.
Train Your People — Then Test Them
Security awareness training is not a once-a-year compliance video. It's an ongoing program that changes behavior. The best programs combine short, frequent training modules with realistic phishing simulations.
Here's what actually changes behavior in my experience:
- Monthly micro-training: 5-10 minute modules on specific topics — spotting BEC, verifying wire transfer requests, recognizing credential harvesting pages.
- Regular phishing simulations: Not to punish people, but to give them practice. Simulated attacks train the reflex to pause and verify before clicking.
- Immediate feedback: When someone clicks a simulated phish, show them exactly what they missed — right then, not three weeks later in a report.
If you're looking for a place to start, our cybersecurity awareness training course covers exactly these fundamentals. For organizations that need targeted anti-phishing exercises, our phishing awareness training platform provides the simulation and measurement tools you need.
Implement the Principle of Least Privilege
Every user account should have exactly the permissions it needs to do its job — and nothing more. Every service account, every API key, every admin credential. Audit them regularly.
When a threat actor compromises a low-privilege user account, the blast radius is limited. When they compromise a domain admin account, it's game over. The difference is access control.
Back Up Everything — And Test Your Restores
Backups are your last line of defense against ransomware. But I've seen organizations discover their backups were corrupted, incomplete, or also encrypted by the ransomware because they were on the same network.
Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy offline or air-gapped. Then actually test a restore. Do it quarterly. Do it under time pressure. Your backup strategy is only real if you've proven it works.
What Is Computer Security? A Quick-Reference Definition
Computer security — also called cybersecurity or IT security — is the practice of protecting computer systems, networks, and data from unauthorized access, theft, damage, and disruption. It encompasses technical controls (firewalls, encryption, access management), human controls (security awareness training, acceptable use policies), and procedural controls (incident response plans, patch management processes). Effective computer security requires all three working together.
The $4.88 Million Lesson Most Organizations Learn Too Late
IBM's 2020 Cost of a Data Breach Report put the global average cost of a data breach at $3.86 million. For the United States, it was $8.64 million. Healthcare breaches averaged $7.13 million. And those costs are trending upward.
But here's the finding that should keep you up at night: organizations that had both a security awareness program and an incident response team in place reduced their average breach cost by over $2 million compared to those that had neither. That's not a marginal improvement. That's a fundamental shift in risk posture.
The organizations that suffer the worst outcomes aren't the ones that face the most sophisticated attacks. They're the ones that skipped the basics. No MFA. No patching cadence. No training. No tested backups. No incident response plan.
Your Next 30 Days: A Practical Computer Security Checklist
I don't believe in vague recommendations. Here's exactly what I'd do if I walked into your organization tomorrow:
- Week 1: Audit MFA coverage. Identify every account — especially admin and remote access accounts — that lacks MFA. Enable it.
- Week 1: Review your patching status against CISA's Known Exploited Vulnerabilities catalog. Prioritize anything on that list.
- Week 2: Launch a baseline phishing simulation. Don't announce it. Measure your click rate. That's your starting point.
- Week 2: Verify your backup integrity. Restore a critical system from backup in a test environment. Time it.
- Week 3: Enroll your team in structured security awareness training. Start with the highest-risk groups: finance, HR, executives, and IT admins.
- Week 3: Review privileged access. Identify accounts with excessive permissions and scope them down.
- Week 4: Document (or update) your incident response plan. Run a tabletop exercise. Ask: "If ransomware hit our domain controller right now, what would we do in the first 60 minutes?"
None of these steps require a massive budget. They require attention, discipline, and follow-through. That's what separates organizations that survive breaches from those that don't.
The Threat Isn't Slowing Down
We're only halfway through 2021, and we've already seen infrastructure shutdowns, hospital disruptions, and supply chain compromises at unprecedented scale. The FBI IC3's 2020 annual report documented $4.2 billion in reported cybercrime losses — a record. 2021 is on pace to exceed it.
Computer security is no longer an IT department problem. It's a business survival problem. The organizations that treat it that way — that invest in training, enforce fundamentals, and build a culture of security awareness — are the ones that will still be operating when the next Colonial Pipeline-scale incident hits.
Start with the basics. Start today. Your network, your data, and your customers are counting on it.