Colonial Pipeline. SolarWinds. Microsoft Exchange. We're barely halfway through 2021 and the breach headlines are relentless. But here's what frustrates me most: the majority of these incidents didn't exploit exotic zero-day vulnerabilities. They exploited basic IT security gaps that organizations have known about for years — weak credentials, unpatched systems, and employees who clicked on the wrong link.
I've spent years watching organizations pour money into shiny tools while ignoring the fundamentals. This post is about what actually matters in IT security right now — not theoretical best practices, but the specific actions that separate organizations that get breached from those that don't.
The $4.88 Trillion Problem Nobody Wants to Own
Cybercrime damages are projected to hit $6 trillion annually by the end of this year, according to Cybersecurity Ventures. The FBI's 2020 Internet Crime Report logged 791,790 complaints with reported losses exceeding $4.2 billion — a 69% increase in complaints over 2019.
Those numbers are staggering but abstract. Here's what they look like in practice: a mid-size manufacturer locked out of its own systems for three weeks. A healthcare provider paying $1.5 million in ransom because their backups were connected to the same network. A law firm losing its biggest client after email compromise exposed privileged communications.
Every single one of those scenarios traces back to IT security fundamentals that were either ignored or half-implemented. Not advanced persistent threats. Not nation-state actors. Basic hygiene failures.
What IT Security Actually Means in 2021
It's Not Just a Technology Problem
IT security encompasses the policies, technologies, and human behaviors that protect an organization's digital infrastructure and data from unauthorized access, disruption, or destruction. That includes networks, endpoints, cloud services, email, and every person who touches a keyboard.
The mistake I see repeatedly is treating IT security as purely a technical function. You buy a firewall. You install antivirus. You check the compliance box. Meanwhile, your accounts payable clerk is responding to a spoofed email from your "CEO" asking for an urgent wire transfer.
The Verizon 2021 Data Breach Investigations Report found that 85% of breaches involved a human element. Social engineering attacks — particularly phishing — remain the dominant initial attack vector. No firewall stops an employee from voluntarily handing over their credentials.
The Threat Landscape Has Shifted Under Your Feet
The mass shift to remote work in 2020 didn't just expand the attack surface — it obliterated the perimeter. Your employees are connecting from home networks, personal devices, and coffee shop Wi-Fi. Your data lives in SaaS applications, cloud storage, and collaboration platforms your IT team may not even know about.
Threat actors adapted immediately. Phishing campaigns themed around COVID-19, remote work tools, and vaccine scheduling flooded inboxes. Ransomware gangs pivoted from opportunistic attacks to targeted, double-extortion operations — encrypting your data and threatening to leak it publicly.
The Colonial Pipeline ransomware attack in May 2021 shut down fuel distribution across the U.S. East Coast. The entry point? A compromised VPN credential that lacked multi-factor authentication. One password. That's all it took.
The Five IT Security Failures I See Everywhere
1. No Multi-Factor Authentication on Critical Systems
I cannot say this loudly enough: if you're still relying on passwords alone to protect email, VPN, or admin accounts, you are inviting a breach. Credential theft is trivially easy through phishing, credential stuffing, or dark web purchases.
Multi-factor authentication (MFA) stops the vast majority of credential-based attacks. Microsoft has stated that MFA blocks 99.9% of automated account compromise attempts. Yet I still encounter organizations — including those handling sensitive data — that haven't enabled it on their most critical systems.
Start with email, VPN, and any system with administrative privileges. Then expand to everything you can. This single step provides more security value than most six-figure tool purchases.
2. Treating Security Awareness as a Checkbox
Annual compliance training where employees click through slides and answer five multiple-choice questions does not reduce risk. It reduces legal liability. Maybe. Those are different things.
Effective security awareness training is continuous, scenario-based, and relevant to the actual threats your people face. It includes regular phishing simulations that test organizational readiness and provide immediate coaching when someone falls for a test.
The organizations I've seen make real progress are the ones that treat security awareness as a culture initiative, not an annual event. They run monthly phishing simulations. They celebrate employees who report suspicious emails. They make security part of onboarding, not an afterthought.
3. Flat Networks with No Segmentation
When a threat actor gets inside your network — and eventually, someone will — the question is: how far can they move? In a flat network with no segmentation, the answer is everywhere.
Network segmentation limits lateral movement. Your guest Wi-Fi shouldn't be on the same network as your financial systems. Your production environment shouldn't be directly accessible from every user workstation. This is a core tenet of zero trust architecture: never assume trust based on network location alone.
4. Backup Strategies That Fail When You Need Them
Ransomware gangs know that your backups are the one thing standing between them and a payday. Modern ransomware actively searches for and encrypts backup files, backup servers, and shadow copies before triggering the main encryption.
If your backups are connected to the same network as your production systems, they will be encrypted alongside everything else. Maintain offline or air-gapped backups. Test restores quarterly — not just the backup process, but actual full-system recovery. I've seen organizations discover their backups were corrupted only after they needed them.
5. No Incident Response Plan
When the SolarWinds supply chain compromise was disclosed in December 2020, organizations that had practiced incident response knew what to do: isolate, investigate, communicate. Organizations without a plan scrambled for weeks.
An incident response plan doesn't need to be a 200-page document. It needs to answer: Who makes decisions? Who do we call? How do we contain a compromised system? How do we communicate with customers and regulators? Practice this at least annually with tabletop exercises.
What Is the Most Important IT Security Step for Small Businesses?
If you can only do one thing, enable multi-factor authentication on every account that supports it — starting with email and remote access. The majority of small business breaches tracked by the FBI involve compromised credentials, and MFA neutralizes that attack vector almost entirely.
After that, invest in cybersecurity awareness training for your entire team. Your people are both your greatest vulnerability and your strongest defense. A well-trained employee who recognizes a phishing email prevents a breach that no technology could have stopped.
Building an IT Security Program That Actually Works
Start with What You Actually Have
You can't protect what you don't know about. Conduct an asset inventory that includes every device, application, cloud service, and data store in your environment. Most organizations I work with are shocked by what they find — shadow IT, forgotten test servers, legacy applications with default credentials.
Use the NIST Cybersecurity Framework as your starting point. It organizes security into five functions — Identify, Protect, Detect, Respond, Recover — that map to practical activities. You don't need to implement everything at once. Use it to find your biggest gaps and prioritize.
Adopt Zero Trust Principles
Zero trust isn't a product you buy. It's an architecture philosophy: never trust, always verify. Every access request is authenticated, authorized, and encrypted regardless of where it originates.
In practice, this means:
- Verify user identity with MFA before granting access to any resource
- Apply least-privilege access — users get only the permissions they need for their role
- Segment your network so a compromised endpoint can't reach your crown jewels
- Monitor continuously for anomalous behavior, not just known signatures
- Assume breach — design your defenses around the premise that an attacker is already inside
This approach is especially critical in 2021's hybrid work environment. When your employees work from everywhere, your security model can't depend on a corporate perimeter that no longer exists.
Make Phishing Simulations a Regular Practice
Phishing remains the most common initial attack vector in data breaches. Running regular phishing simulations does two things: it measures your organization's real-world susceptibility, and it trains employees through experience rather than lectures.
Organizations that run monthly simulations see click rates drop significantly over time. The key is making simulations realistic, varied, and educational. When someone clicks a simulated phishing link, they should immediately see what they missed and how to spot it next time. If you need a starting point, phishing awareness training designed for organizations can get your program running quickly.
Patch Relentlessly
The Microsoft Exchange Server vulnerabilities disclosed in March 2021 (CVE-2021-26855 and related) were exploited by threat actors within days of discovery. CISA issued an emergency directive demanding federal agencies patch immediately.
Yet weeks later, tens of thousands of Exchange servers remained unpatched. Every one of them was a sitting target.
Patching isn't glamorous. It's disruptive. It breaks things sometimes. But unpatched systems remain one of the most exploited attack vectors in existence. Establish a patching cadence: critical vulnerabilities within 48 hours, high-severity within two weeks, everything else within 30 days.
The Human Side of IT Security
Every technical control you implement can be bypassed by a human being who makes a mistake. That's not a criticism of your employees — it's a recognition that social engineering works because it exploits trust, urgency, and authority. These are fundamental human traits, not flaws.
The solution isn't to blame users. It's to build systems that minimize the impact of human error and create a culture where reporting suspicious activity is rewarded, not punished. Your IT security program should make the right thing easy and the wrong thing hard.
Start with comprehensive cybersecurity awareness training that covers phishing, social engineering, credential hygiene, and safe browsing habits. Then reinforce it continuously. Security culture isn't built in a single training session — it's built through repetition, reinforcement, and leadership buy-in.
What Comes Next
The threat landscape in 2021 is more hostile than it has ever been. Ransomware is an industry. Phishing kits are commoditized. Supply chain attacks have proven that even trusted vendors can be compromised.
But the organizations that will weather these storms are the ones doing the boring stuff well. MFA everywhere. Patched systems. Segmented networks. Trained employees. Tested backups. A plan for when — not if — something goes wrong.
IT security isn't a destination. It's a daily discipline. The organizations that treat it that way are the ones that stay out of the headlines.