In March 2022, the Lapsus$ threat actor group breached Okta, Microsoft, Nvidia, and Samsung — not by exploiting sophisticated zero-day vulnerabilities, but by buying stolen credentials and socially engineering employees. A teenager-led group dismantled the IT security of some of the most well-resourced technology companies on the planet. If that doesn't make you rethink your security posture, nothing will.
This post breaks down what actually works to stop breaches in 2022. Not theory, not vendor marketing. Practical, field-tested strategies I've seen work across organizations of every size. Whether you run IT for a 50-person company or a 5,000-seat enterprise, these fundamentals apply.
The Verizon DBIR Tells the Real IT Security Story
Every year, the Verizon Data Breach Investigations Report gives us the clearest picture of how breaches actually happen. The 2022 DBIR analyzed over 23,000 incidents and found that 82% of breaches involved a human element — phishing, stolen credentials, misuse, or simple error.
That number should redirect your entire IT security budget conversation. Organizations spend millions on perimeter defenses while their employees click malicious links and reuse passwords across personal and corporate accounts. The data is unambiguous: your people are the primary attack surface.
The same report found that ransomware increased 13% year over year — a jump larger than the previous five years combined. Credential theft and social engineering remain the dominant initial access vectors. If your security strategy doesn't address these two things aggressively, you're building a fortress with the front door open.
What Is IT Security? (The Version That Actually Matters)
IT security is the practice of protecting an organization's information systems — hardware, software, networks, and data — from unauthorized access, disruption, or destruction. But that textbook definition misses the point.
In practice, IT security is risk management. It's the discipline of identifying what you actually need to protect, understanding who wants to compromise it, and deploying layered defenses that account for the fact that every single control will eventually fail. Good IT security assumes breach. It builds resilience, not just resistance.
In my experience, the organizations that get breached the hardest are the ones that thought security was something you could buy. They purchased the next-generation firewall, the endpoint detection platform, the SIEM — and then never trained a single employee to recognize a phishing email.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2022 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.35 million. In the United States, that number hit $9.44 million. Healthcare topped the list at $10.10 million per breach for the twelfth consecutive year.
Here's what I find most telling from that report: organizations that deployed security awareness training and AI-based security tools together reduced breach costs by over $1 million compared to those that didn't. Training isn't a soft control. It's a hard dollar savings.
If you haven't invested in cybersecurity awareness training for your workforce, you're leaving measurable risk reduction on the table. The math is straightforward.
Five IT Security Controls That Actually Prevent Breaches
I've audited and consulted for dozens of organizations over the years. The ones that avoid headline-making incidents tend to share five common traits. None of these are exotic. All of them require discipline.
1. Multi-Factor Authentication Everywhere
The Lapsus$ breaches I mentioned earlier exploited organizations that either didn't enforce multi-factor authentication consistently or used weak MFA implementations vulnerable to SIM swapping and MFA fatigue attacks. CISA has been pushing MFA adoption as a critical baseline for years.
Deploy phishing-resistant MFA — FIDO2 security keys or platform authenticators — on every account that touches sensitive data. SMS-based MFA is better than nothing, but it's increasingly inadequate against determined threat actors. Start with privileged accounts, email, and VPN access. Expand from there until there are zero exceptions.
2. Phishing Simulation and Security Awareness Training
You can't patch humans, but you can train them. Regular phishing simulations measurably reduce click rates over time. I've seen organizations cut their phishing susceptibility from 30% to under 5% within twelve months of consistent simulation programs.
The key word is consistent. A once-a-year compliance video doesn't change behavior. Monthly simulations paired with immediate, specific feedback do. Pair your simulations with structured phishing awareness training for your organization to give employees the context they need — what social engineering looks like, how credential theft works, and why that "urgent" email from the CEO is almost certainly fake.
3. Endpoint Detection and Response (EDR)
Traditional antivirus is dead for enterprise use. EDR tools provide visibility into endpoint behavior, detect lateral movement, and enable rapid containment. When a ransomware payload executes, the difference between EDR and legacy AV is often the difference between one isolated machine and an entire encrypted network.
Deploy EDR on every endpoint — servers, workstations, and laptops. Ensure your IT security team or managed provider actually monitors the alerts. An EDR tool generating thousands of unread alerts is just an expensive log file.
4. Privileged Access Management
Too many organizations still run with domain admin credentials shared among IT staff, service accounts with passwords that haven't changed in years, and local admin rights granted to every employee. This is how a single compromised credential turns into total domain compromise.
Implement least-privilege access. Use a PAM solution to vault and rotate privileged credentials. Remove local admin rights from standard users. Audit service account permissions quarterly. Every breach post-mortem I've ever read involves excessive privileges enabling lateral movement. Every single one.
5. Network Segmentation and Zero Trust Architecture
Flat networks are a gift to threat actors. Once they breach the perimeter — and they will — a flat network lets them reach everything. Zero trust architecture assumes that no user, device, or network segment should be inherently trusted.
Start with your crown jewels. Segment databases containing customer data, financial systems, and intellectual property. Require re-authentication for access to sensitive segments. NIST Special Publication 800-207 provides a solid framework for planning your zero trust implementation.
Ransomware: The IT Security Threat Defining 2022
The FBI's Internet Crime Complaint Center received 3,729 ransomware complaints in 2021, with adjusted losses exceeding $49 million — and those are just the reported cases. The actual numbers are significantly higher. In 2022, ransomware groups like Conti, LockBit, and BlackCat have continued to devastate organizations across healthcare, education, government, and manufacturing.
Conti's attack on Costa Rica's government in April 2022 was a watershed moment — a ransomware group effectively disrupting an entire nation's operations. The group demanded $20 million and leaked 672 GB of government data. This isn't a hypothetical risk anymore. It's an operational reality that every IT security team must plan for.
Your ransomware defense isn't one control. It's the combination of everything above: MFA to prevent initial access, training to stop phishing, EDR to catch execution, least privilege to limit lateral movement, and segmentation to contain the blast radius. Add immutable, offline backups that you test quarterly, and you have a defensible position.
The Zero Trust Shift: Why Perimeter Security Isn't Enough
The traditional IT security model — hard perimeter, soft interior — was designed for a world where everyone worked in an office on managed devices connected to a corporate network. That world ended in March 2020 and it's not coming back.
Remote and hybrid work means your employees access corporate data from home networks, coffee shops, and airports. Your applications live in multiple clouds. Your data flows through SaaS platforms you don't control. The perimeter isn't gone, but it's no longer the primary line of defense.
Zero trust flips the model. Every access request is verified. Every session is authenticated. Every device is assessed. It's not a product you buy — it's an architecture you build incrementally. Start with identity. If you get identity and access management right, you've addressed the single largest category of initial access vectors in the Verizon DBIR.
Building an IT Security Program on a Limited Budget
Not every organization has an enterprise security budget. Most don't. Here's where I'd spend my first dollars if I were building an IT security program from scratch in 2022.
Month One: Lock Down Identity
Enable MFA on all email accounts, VPN, and cloud services. Audit and remove unnecessary admin privileges. Disable legacy authentication protocols. This costs almost nothing and eliminates a huge percentage of your risk.
Month Two: Train Your People
Launch a cybersecurity awareness training program and begin monthly phishing simulations. Focus on credential theft, business email compromise, and ransomware delivery via email. Measure your baseline click rate and track improvement. Your employees should know what social engineering looks like and how to report suspicious messages.
Month Three: Visibility and Response
Deploy EDR on all endpoints. Establish an incident response plan — even a basic one. Know who to call, what to isolate, and where your backups are. Test those backups. I've seen organizations discover their backup system hadn't actually been running for months only after ransomware hit.
Month Four and Beyond: Mature and Segment
Begin network segmentation starting with your most sensitive assets. Implement a vulnerability management program. Start logging and monitoring critical systems. Build toward a zero trust architecture incrementally. Each quarter, reassess your biggest risks and allocate resources accordingly.
Your Employees Are Your IT Security Front Line
I keep coming back to this because the data keeps pointing here. The 2022 Verizon DBIR, the IBM Cost of a Data Breach Report, the FBI IC3 annual reports — they all tell the same story. Human error, social engineering, and stolen credentials dominate the threat landscape.
Technology controls are essential. But the most effective IT security programs treat employee awareness as a foundational layer, not an afterthought. When your staff can recognize a phishing email, challenge an unusual request, and report something suspicious without fear of blame, you've built something no firewall can replicate.
Invest in phishing awareness training alongside your technical controls. The organizations that do both consistently are the ones that stay out of the breach headlines.
What Happens Next
The threat landscape in 2022 is defined by ransomware, credential theft, and social engineering at industrial scale. The defenses that work are not new or glamorous: multi-factor authentication, security awareness training, endpoint detection, least privilege, and network segmentation.
Pick the control that addresses your biggest gap right now and implement it this month. Then pick the next one. IT security isn't a destination — it's a discipline. The organizations that treat it that way are the ones still operating after an attack.