The Breach That Changed How I Think About Cybersecurity

In February 2024, Change Healthcare suffered a ransomware attack that disrupted insurance claims processing for hospitals and pharmacies across the United States. UnitedHealth Group confirmed the breach affected approximately 100 million individuals — making it one of the largest healthcare data breaches in history. The initial access point? Stolen credentials on a system that lacked multi-factor authentication.

That single failure — one missing security control — cascaded into billions of dollars in damages and months of operational chaos. And here's the uncomfortable truth about cybersecurity in 2026: most organizations are still making the same fundamental mistakes.

I've spent years watching companies invest heavily in shiny tools while ignoring the basics. This post covers what actually works right now — not theory, not vendor hype, but the specific strategies that reduce your real-world risk.

Why Most Cybersecurity Strategies Fail Before They Start

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse of credentials. That number has hovered in this range for years. The pattern is clear.

Yet most organizations still allocate the bulk of their security budgets to perimeter tools and endpoint detection. Those matter. But if your employees can't recognize a phishing email, your firewall is irrelevant when someone hands over their credentials willingly.

Here's what I've seen repeatedly: companies buy a SIEM, deploy EDR across every endpoint, and then check the "cybersecurity" box on their board presentation. Six months later, a threat actor sends a convincing email to someone in accounts payable, gets a password, moves laterally because internal segmentation doesn't exist, and exfiltrates data for weeks before anyone notices.

The tools didn't fail. The strategy did.

What Is Cybersecurity? A Straight Answer

Cybersecurity is the practice of protecting systems, networks, and data from digital attacks, unauthorized access, and damage. It spans technology (firewalls, encryption, endpoint protection), processes (incident response plans, access controls, patching schedules), and people (security awareness training, phishing simulations, credential management).

Effective cybersecurity isn't one product or one policy. It's a layered approach where each control compensates for the weaknesses of others. If your technology fails, trained people catch the threat. If a person makes a mistake, your technology limits the blast radius.

The 6 Controls That Actually Reduce Breach Risk

After reviewing hundreds of breach post-mortems and working with organizations of all sizes, I keep coming back to the same core controls. None of them are exotic. All of them are underdeployed.

1. Multi-Factor Authentication Everywhere — No Exceptions

The Change Healthcare breach happened because MFA wasn't enabled on a Citrix remote access portal. That's not an edge case. According to CISA, MFA can prevent 99% of automated credential attacks.

Your organization needs MFA on every externally facing system, every email account, every VPN, and every administrative console. "We'll roll it out next quarter" is not acceptable when credential theft is the number one initial access vector.

2. Security Awareness Training That Goes Beyond Compliance

Annual compliance videos don't change behavior. I've seen organizations with 100% training completion rates still fall for basic phishing campaigns.

What works is continuous, scenario-based training that reflects real threats your employees actually face. Our cybersecurity awareness training program is built around this principle — short, relevant lessons based on actual attack patterns, not generic scare tactics.

Pair that with regular phishing simulations. When employees experience simulated attacks and get immediate feedback, click rates drop dramatically. Our phishing awareness training for organizations gives you the tools to run realistic campaigns and measure improvement over time.

3. Patch Management With a 72-Hour SLA for Critical Vulns

In my experience, most successful exploits target vulnerabilities that had patches available for weeks or months. The 2017 Equifax breach exploited an Apache Struts vulnerability that had been patched two months earlier. We're still seeing this pattern in 2026.

Set a hard policy: critical and high-severity vulnerabilities get patched within 72 hours. Everything else within 30 days. No exceptions without documented, risk-accepted sign-off from a CISO or equivalent.

4. Network Segmentation and Zero Trust Architecture

Zero trust isn't a product you buy. It's an architecture principle: never trust, always verify. Every access request gets authenticated and authorized regardless of where it originates.

At minimum, segment your network so that a compromised workstation in marketing can't reach your database servers. Implement least-privilege access. Use micro-segmentation where possible. The goal is to make lateral movement painful for threat actors instead of trivial.

5. Tested Incident Response Plans

Having an incident response plan in a binder on a shelf doesn't count. I've watched organizations discover during an active breach that their plan references employees who left two years ago and phone numbers that don't work.

Run tabletop exercises quarterly. Simulate ransomware scenarios. Test your backup restoration process — actually restore from backup to a test environment and time it. Know your Recovery Time Objective and prove you can hit it.

6. Immutable, Offline Backups

Ransomware groups specifically target backup systems. They know that if they encrypt your backups along with your production data, you're far more likely to pay. Immutable backups — ones that cannot be altered or deleted after creation — stored offline or in air-gapped environments are your last line of defense.

Test them. I can't stress this enough. Backups that haven't been tested are just assumptions.

The $4.88 Million Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. That's the highest figure ever recorded. For U.S.-based organizations, the average was significantly higher.

But here's the data point that matters most for your budget conversations: organizations with fully deployed security AI and automation saved an average of $2.22 million per breach compared to those without. Organizations that identified breaches in under 200 days saved substantially more than those that took longer.

Speed and preparation are everything. The organizations that recover quickly aren't lucky — they invested in detection, training, and response capabilities before the incident.

Social Engineering: The Threat That Keeps Evolving

Social engineering attacks have gotten significantly more sophisticated. AI-generated voice cloning, deepfake video calls, and hyper-personalized phishing emails are no longer theoretical. They're happening now.

In 2024, a finance worker at a multinational firm in Hong Kong was tricked into transferring $25 million after a video call with what appeared to be the company's CFO — but was actually a deepfake. The attackers had scraped publicly available video of the executive and recreated his likeness in real time.

Traditional phishing awareness training that only covers suspicious emails isn't enough anymore. Your training program needs to address voice phishing (vishing), SMS-based attacks (smishing), and AI-enhanced impersonation. Employees need to understand that verification processes — callback procedures, out-of-band confirmation — are non-negotiable for financial transactions and sensitive data requests.

Ransomware Isn't Slowing Down

The FBI's Internet Crime Complaint Center (IC3) has documented a steady increase in ransomware complaints, with attacks increasingly targeting critical infrastructure, healthcare, and education sectors. The business model works for criminals, which means it's not going away.

Your ransomware defense strategy needs three layers:

  • Prevention: Patching, MFA, email filtering, endpoint detection, and security awareness training to stop initial access.
  • Containment: Network segmentation, least-privilege access, and monitoring to limit the blast radius when prevention fails.
  • Recovery: Immutable backups, tested restoration procedures, and a practiced incident response plan to get back online without paying.

If you're missing any one of these layers, you have a ransomware problem waiting to happen.

Building a Cybersecurity Culture — Not Just a Program

The organizations I've seen with the strongest security postures share one trait: security is part of the culture, not just the IT department's job.

This means executives model good behavior. It means reporting a suspicious email is praised, not punished. It means security teams are seen as partners, not obstacles. And it means training is ongoing — not a once-a-year checkbox.

Start by making security awareness accessible and relevant. Programs like our security awareness training are designed to meet employees where they are — with practical, scenario-driven content that sticks. Combine that with phishing simulation campaigns that give your people real practice identifying threats in a safe environment.

Culture change takes time, but the data supports it. Organizations with strong security cultures consistently report fewer incidents and faster detection times.

Your 90-Day Cybersecurity Action Plan

If your organization needs to improve its security posture quickly, here's where I'd focus in the next 90 days:

Days 1-30: Close the Obvious Gaps

  • Audit MFA coverage across all external-facing systems and admin accounts. Deploy it where it's missing.
  • Run a vulnerability scan and patch every critical and high finding.
  • Verify backup integrity by performing a test restore.

Days 31-60: Build the Human Firewall

  • Launch a security awareness training program covering phishing, social engineering, and credential hygiene.
  • Run a baseline phishing simulation to measure current click rates.
  • Establish a clear, no-blame process for employees to report suspicious messages.

Days 61-90: Harden and Prepare

  • Review network segmentation. Identify and eliminate unnecessary lateral access paths.
  • Update your incident response plan and run a tabletop exercise with key stakeholders.
  • Implement or review least-privilege access across critical systems.

This isn't a complete cybersecurity program. But it addresses the controls that stop the most common attacks. Start here, measure progress, and build from this foundation.

The Bottom Line

Cybersecurity in 2026 isn't about buying the right tool. It's about consistently executing the fundamentals — MFA, patching, training, segmentation, backups, and incident response — while adapting to evolving threats like AI-enhanced social engineering and increasingly aggressive ransomware operations.

The organizations that avoid headlines aren't doing anything magical. They're doing the basics well, training their people continuously, and testing their defenses before attackers do.

Your next step is simple: identify which of the six core controls above you're weakest on, and fix it this month. Not next quarter. This month.