In March 2022, Okta confirmed that the Lapsus$ threat actor group had breached a third-party support contractor, potentially affecting hundreds of enterprise customers. A few weeks later, the same group hit Microsoft, Nvidia, and Samsung. These weren't obscure targets — they were companies with massive cyber security budgets, sophisticated defenses, and dedicated security teams.
If organizations spending tens of millions on security still get compromised, what does that tell you about the state of cyber security right now? It tells you that the game has changed — and most defensive playbooks haven't kept up.
This post breaks down what's actually failing in 2022, why traditional approaches keep falling short, and what specific steps you can take today to close the gaps that threat actors are actively exploiting.
The $4.88M Reality Check for Cyber Security
IBM's 2022 Cost of a Data Breach Report pegged the global average cost of a breach at $4.35 million — an all-time high. In the United States, that number jumped to $9.44 million. Healthcare topped the charts for the twelfth consecutive year at $10.10 million per incident.
These aren't theoretical numbers. They include incident response, legal fees, regulatory fines, lost business, and reputation damage. For a mid-size company, a single breach can be an extinction-level event.
Here's what actually drives these costs up: dwell time. The same IBM report found that organizations took an average of 277 days to identify and contain a breach. That's nine months of a threat actor living inside your network, exfiltrating data, escalating privileges, and setting up persistence.
The companies that cut that dwell time — through better detection, stronger security awareness, and incident response planning — saved an average of $1.12 million per breach. Speed matters more than almost anything else.
Why Phishing Still Owns the Attack Chain
The 2022 Verizon Data Breach Investigations Report analyzed over 23,000 security incidents and confirmed what I've seen in the field for years: the human element was involved in 82% of breaches. Phishing, stolen credentials, and social engineering remain the front door for most attacks.
Phishing isn't just bulk spam anymore. In 2022, business email compromise (BEC) attacks are surgically targeted. Threat actors research your org chart on LinkedIn, spoof your CFO's email address, and send a convincing wire transfer request to accounts payable at 4:47 PM on a Friday. It works more often than anyone wants to admit.
Credential Theft: The Gift That Keeps Giving
Credential theft feeds everything. A single compromised password gets a threat actor past the perimeter. From there, it's lateral movement, privilege escalation, and eventually ransomware deployment or data exfiltration.
The FBI's 2021 IC3 Annual Report (the most recent as of this writing) documented $6.9 billion in reported cybercrime losses. BEC and email account compromise alone accounted for $2.4 billion — dwarfing every other category including ransomware.
Most of those attacks started with a phishing email that harvested credentials. Your employees are the target, and their training — or lack of it — determines whether your organization becomes a statistic.
What Is Cyber Security Actually Supposed to Do?
Cyber security is the practice of protecting systems, networks, and data from digital attacks that aim to access, change, or destroy sensitive information, extort money, or disrupt operations. But here's the part most definitions leave out: effective cyber security isn't primarily a technology problem. It's an operational discipline that combines people, processes, and technology.
You can deploy the most advanced endpoint detection and response platform on the market. If your help desk resets passwords without proper identity verification — which is exactly how the Lapsus$ group breached multiple targets — none of that technology matters.
The Three Failures I See in Every Breach
I've reviewed post-incident reports from dozens of organizations over the years. Three patterns show up in nearly every single one.
Failure 1: Security Awareness Is a Checkbox, Not a Culture
Most organizations run annual security awareness training to satisfy compliance requirements. One session per year. A 20-minute video. A quiz that everyone passes on the second try. Then they wonder why employees still click phishing links.
Effective training is continuous, scenario-based, and tied to real threats your organization actually faces. It includes regular phishing simulation exercises that test how employees respond under realistic conditions — not just whether they can identify an obviously fake Nigerian prince email.
The 2022 Verizon DBIR found that human error and social engineering remained dominant attack vectors. Training isn't a nice-to-have. It's your first line of defense, and it needs to be treated with the same rigor as your firewall rules.
Failure 2: Multi-Factor Authentication Isn't Everywhere
Multi-factor authentication (MFA) stops the vast majority of credential-based attacks. Microsoft has stated that MFA blocks 99.9% of automated account compromise attempts. And yet, in 2022, I still encounter organizations where MFA is only enabled for VPN access and nothing else.
Email? No MFA. Cloud storage? No MFA. Admin consoles? Sometimes no MFA. This is how Lapsus$ and groups like them walk straight into critical systems. They buy stolen credentials from initial access brokers, try them against services without MFA, and they're in.
If you do one thing after reading this post, audit every system that touches sensitive data and enforce MFA on all of them. No exceptions for executives. No exceptions for legacy systems — if a system can't support MFA, that system needs a compensating control or a migration plan.
Failure 3: No Zero Trust Architecture
The traditional network security model — hard exterior, soft interior — is dead. Once a threat actor gets past the perimeter (usually via phishing or credential theft), they move laterally with almost no resistance.
Zero trust flips this model. Every access request is verified regardless of where it originates. Every user, device, and connection is treated as potentially compromised until proven otherwise. CISA's Zero Trust Maturity Model provides a practical framework for implementing this approach incrementally.
You don't need to overhaul your entire infrastructure overnight. Start with identity: verify every user, enforce least-privilege access, and segment your network so a single compromised account can't reach everything.
Ransomware in 2022: Faster, Greedier, More Destructive
Ransomware gangs in 2022 have industrialized. Groups like Conti, LockBit, and BlackCat operate ransomware-as-a-service platforms. They recruit affiliates, offer customer support portals, and run double extortion schemes — encrypting your data and threatening to leak it if you don't pay.
The Conti group alone caused massive disruption this year. In April and May, they hit the government of Costa Rica so hard that the country declared a national emergency. This wasn't a theoretical exercise — it was a sovereign nation brought to its knees by a ransomware gang.
For your organization, the defense against ransomware isn't just backups (though tested, offline backups are essential). It's the entire kill chain: preventing the initial phishing email, detecting credential theft early, blocking lateral movement through network segmentation, and having an incident response plan that's been rehearsed, not just written.
Five Practical Steps to Strengthen Your Cyber Security Today
I'm not going to give you a 47-point framework. Here are five things that actually move the needle, ranked by impact.
1. Run Continuous Security Awareness Training
Annual training is insufficient. Your employees need ongoing education that covers current threats — not last year's attack patterns. The best programs combine short, frequent modules with realistic phishing simulations that provide immediate feedback when someone takes the bait.
If you're looking for a place to start, our cybersecurity awareness training program covers the specific social engineering tactics threat actors are using right now.
2. Enforce MFA on Everything
Every cloud service, email platform, VPN, admin console, and remote access tool needs MFA. Use app-based authenticators or hardware keys — SMS-based MFA is better than nothing but vulnerable to SIM swapping attacks.
3. Implement Endpoint Detection and Response (EDR)
Traditional antivirus is not enough. EDR solutions monitor endpoint behavior in real time, detect anomalies, and can automatically isolate compromised devices. This is how you cut dwell time from months to hours.
4. Test Your Incident Response Plan
Having a plan in a binder on a shelf doesn't count. Run tabletop exercises quarterly. Simulate a ransomware attack. Walk through who calls whom, how you communicate with customers, when you engage law enforcement, and how you restore operations. Every gap you find in a tabletop is a gap you won't have during a real incident.
5. Adopt Zero Trust Principles
Start with identity and access management. Enforce least-privilege access. Segment your network. Assume breach and design your architecture so that a single compromised account doesn't give an attacker the keys to everything.
Small Businesses Are Not Too Small to Be Targeted
I hear this constantly: "We're too small for anyone to target." The data says otherwise. The 2022 Verizon DBIR found that 61% of small and medium businesses experienced at least one cyber attack in the prior year. Threat actors target small businesses specifically because they tend to have weaker defenses and less monitoring.
A ransomware attack that demands $50,000 from a 30-person company is just as profitable for a threat actor as a larger attack — and far less likely to attract law enforcement attention. Small businesses need the same fundamental cyber security practices as enterprises: MFA, security awareness training, tested backups, and an incident response plan.
The Regulatory Landscape Is Tightening
The FTC has been increasingly aggressive in holding companies accountable for poor cyber security practices. In 2022, the FTC updated the Safeguards Rule under the Gramm-Leach-Bliley Act, expanding the definition of financial institutions and imposing stricter data protection requirements. Companies that fail to implement reasonable security measures face enforcement actions, fines, and mandatory security program overhauls.
State-level privacy laws are proliferating as well. California's CCPA, Virginia's CDPA, and Colorado's Privacy Act all create obligations around data protection. Compliance isn't optional, and "we didn't know" isn't a defense.
Stop Reacting — Start Building Resilience
The organizations that survive breaches — and in 2022, many won't avoid them entirely — are the ones that built resilience before the incident. They trained their people. They tested their defenses. They planned for failure and rehearsed their response.
Cyber security isn't a product you buy. It's a discipline you practice. Every phishing simulation you run, every MFA deployment you complete, and every incident response tabletop you conduct makes your organization measurably harder to compromise.
The threat actors aren't slowing down. Neither should you.