The Breach That Changed How I Think About Cyber Security

In February 2024, Change Healthcare suffered a ransomware attack that disrupted insurance claims processing for nearly every hospital and pharmacy in the United States. UnitedHealth Group later confirmed the breach affected approximately 100 million individuals — making it the largest healthcare data breach in U.S. history. The entry point? Stolen credentials on a system that lacked multi-factor authentication.

That single incident crystallized something I've been telling organizations for years: cyber security isn't about buying the most expensive tools. It's about getting the fundamentals right, consistently, across every layer of your organization.

This post breaks down what actually works right now — based on real breach data, federal guidance, and what I've seen succeed in organizations of every size.

Why Most Cyber Security Strategies Fail Before They Start

Here's the uncomfortable truth. Most organizations don't get breached because they lack sophisticated defenses. They get breached because they ignore the basics. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse of credentials. That number has barely moved in five years.

I've audited environments where companies spent six figures on endpoint detection but never ran a single phishing simulation. I've seen security teams deploy zero trust architecture on paper while leaving legacy VPN access wide open. The gap between strategy documents and operational reality is where threat actors live.

If your cyber security program doesn't start with people and processes, your technology investments are decorating an unlocked building.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — a 10% increase over the prior year and the highest figure ever recorded. But the report also revealed something more actionable: organizations with security awareness training and incident response planning cut their breach costs by hundreds of thousands of dollars.

That's not a marginal improvement. That's the difference between a survivable incident and a company-ending one for a mid-size business.

The math is clear. Investing in cybersecurity awareness training for your workforce delivers measurable ROI. Not eventually. Immediately.

What a Real-World Attack Chain Looks Like

Let me walk you through how most breaches actually unfold in 2026. It's not the Hollywood version.

  • Step 1 — Reconnaissance: A threat actor scrapes LinkedIn for employee names, titles, and email formats at your company. Takes about 20 minutes.
  • Step 2 — Phishing: They craft a targeted email impersonating your HR platform or IT helpdesk. One employee clicks. One set of credentials gets harvested.
  • Step 3 — Credential Theft: The attacker uses those stolen credentials to log into your VPN or cloud email. No MFA means no friction.
  • Step 4 — Lateral Movement: They quietly move through your network, escalating privileges, exfiltrating data, and staging ransomware payloads.
  • Step 5 — Detonation: Ransomware encrypts your critical systems. You get a note demanding cryptocurrency. Your backups — if they exist — may or may not be intact.

Every single step in that chain is preventable. But only if your cyber security program addresses each layer.

What Is Cyber Security That Actually Works?

Cyber security is the practice of protecting systems, networks, and data from digital attacks. But that textbook definition misses the point. Effective cyber security in 2026 means building a culture where every employee, every system, and every process is designed to resist, detect, and recover from compromise.

It's not one product. It's not one policy. It's an operating discipline. And it rests on three pillars that I've seen work in practice, not just in frameworks.

Pillar 1: People Are Your Perimeter

Your employees are the most targeted attack surface in your organization. Every piece of data from CISA, the FBI, and the Verizon DBIR confirms this. Social engineering remains the dominant initial attack vector because it works — and it's cheap for attackers.

Running regular phishing awareness training and simulations isn't optional anymore. It's table stakes. Organizations that simulate phishing attacks monthly see click rates drop from over 30% to under 5% within a year. That reduction translates directly into fewer incidents.

Train your people the way threat actors target them: with realistic, evolving scenarios that mirror current campaigns.

Pillar 2: Zero Trust Isn't a Product — It's a Mindset

Zero trust architecture means never implicitly trusting any user, device, or connection — even inside your network. NIST Special Publication 800-207 lays out the framework, and it's become the baseline expectation for federal agencies and increasingly for the private sector. You can review the full NIST Zero Trust Architecture guidelines to understand the model.

In practice, zero trust means:

  • Enforcing multi-factor authentication everywhere, no exceptions.
  • Segmenting your network so a compromised workstation can't reach your database servers.
  • Implementing least-privilege access — users get only what they need, nothing more.
  • Continuously verifying device health before granting access.

The Change Healthcare breach happened because one system lacked MFA. One. That's what zero trust prevents.

Pillar 3: Assume Breach, Plan Recovery

No defense is perfect. The organizations that survive major incidents are the ones that planned for failure. That means tested incident response plans, immutable backups stored offline, and tabletop exercises at least twice a year.

I've worked with companies that recovered from ransomware in 48 hours because they rehearsed their response. I've seen others spend months rebuilding because their backup strategy existed only as a checkbox on an audit form.

The Threat Landscape You're Facing Right Now

The FBI's Internet Crime Complaint Center (IC3) reported over $12.5 billion in cybercrime losses in their 2023 annual report. Business email compromise alone accounted for roughly $2.9 billion. Ransomware complaints surged. And those numbers represent only reported incidents — the real figures are significantly higher.

In 2026, the threats have only intensified. AI-generated phishing emails are nearly indistinguishable from legitimate communications. Deepfake voice and video attacks are targeting finance departments for wire fraud. Supply chain compromises continue to cascade through vendor relationships.

Your cyber security posture needs to account for adversaries who are faster, more creative, and better resourced than ever before.

Five Steps You Can Take This Week

You don't need a massive budget to make meaningful progress. Here's what I recommend to every organization I advise:

  • Enable MFA on everything. Email, VPN, cloud apps, admin consoles. If a system doesn't support MFA, build a plan to replace it.
  • Run a phishing simulation. Baseline your organization's susceptibility. You can't improve what you don't measure. Start with structured phishing simulation exercises.
  • Audit your access controls. Who has admin rights? Who left the company six months ago but still has active credentials? Clean it up.
  • Test your backups. Not just that they exist — that you can actually restore from them. Time the process. If it takes a week, that's a week of downtime.
  • Invest in security awareness. Build a continuous training program, not an annual compliance checkbox. Platforms like computersecurity.us provide the structured curriculum your team needs.

Cyber Security Is a Business Decision, Not Just an IT Problem

The FTC has increasingly held organizations accountable for inadequate data security practices. Their enforcement actions against companies like Drizly, CafePress, and Chegg demonstrate that regulators view cyber security as a leadership responsibility, not a technical afterthought. You can review FTC data security enforcement actions to see the pattern.

Boards and executives who delegate cyber security entirely to IT are making a strategic mistake. When a data breach hits, it's the CEO answering questions from regulators, customers, and the press — not the CISO.

Your cyber security program needs executive sponsorship, adequate funding, and regular board-level reporting. Treat it like any other business risk, because that's exactly what it is.

Where to Start If You're Behind

If you're reading this and realizing your organization has gaps, you're not alone. Most do. The key is to start now, start with the basics, and build systematically.

Begin with your people. Launch a cybersecurity awareness training program that covers social engineering, credential theft, ransomware prevention, and safe browsing habits. Then layer in technical controls: MFA, network segmentation, endpoint detection, and encrypted backups.

Cyber security isn't a destination. It's a continuous process of reducing risk, building resilience, and staying one step ahead of the threat actors who never stop adapting. The organizations that treat it that way are the ones still standing after the next headline-making breach.