In March 2024, UnitedHealth Group's subsidiary Change Healthcare was hit by a ransomware attack that disrupted insurance claim processing for hospitals and pharmacies across the United States. The company reportedly paid a $22 million ransom. The attack vector? Stolen credentials used to access a remote system that lacked multi-factor authentication. One missing IT security control brought a $372 billion company to its knees — and left millions of patients in limbo.
If you think your organization is too small to be a target, or that your current defenses are "good enough," this post is for you. I'm going to walk through what actually works in IT security right now — not theoretical frameworks, but specific, practical measures grounded in what threat actors are doing in 2024.
The State of IT Security: Why 2024 Is a Reckoning
The numbers keep getting worse. The IBM Cost of a Data Breach Report 2024 pegged the global average cost of a data breach at $4.88 million — an all-time high, and a 10% increase over last year. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether through social engineering, errors, or misuse of credentials.
Here's what I see in my work: organizations spending six figures on firewalls and endpoint detection while ignoring the basics. No MFA on critical systems. No phishing simulation program. No tested incident response plan. The spending goes to shiny tools. The breaches come through unlocked doors.
IT security isn't a product you buy. It's a discipline you practice. And in 2024, the gap between organizations that practice it and those that just purchase it is widening fast.
What Threat Actors Are Actually Doing Right Now
Credential Theft Is the #1 Play
Forget Hollywood hacking scenes. The most common attack path is embarrassingly simple: steal a username and password, log in, and move laterally. The Verizon DBIR has reported for years that stolen credentials are involved in roughly half of all breaches. That trend held strong in 2024.
Threat actors get credentials through phishing emails, credential stuffing from previous breaches, and infostealers — malware specifically designed to harvest saved passwords from browsers. If your employees reuse passwords across personal and work accounts, you're already exposed.
Ransomware Isn't Slowing Down
The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints impacted critical infrastructure sectors at an alarming rate in 2023, with healthcare, manufacturing, and government facilities hit hardest. Groups like ALPHV/BlackCat (the group behind the Change Healthcare attack) and LockBit have operated like businesses — with affiliate programs, customer service portals, and escalating ransom demands.
Ransomware gangs increasingly use double extortion: they encrypt your data and threaten to leak it. Paying the ransom doesn't guarantee they'll delete what they stole. Your IT security strategy needs to account for both the encryption threat and the data exfiltration risk.
Social Engineering Gets More Sophisticated
Business email compromise (BEC) remains the single most financially damaging cybercrime category according to the FBI IC3 2023 Annual Report. Losses exceeded $2.9 billion in 2023 alone. Attackers don't need malware when they can simply impersonate your CEO and convince an employee to wire $200,000 to a fraudulent account.
Deepfake audio and AI-generated phishing emails are making social engineering attacks harder to detect. I've personally reviewed phishing emails in 2024 that were grammatically flawless and contextually relevant — a far cry from the "Nigerian prince" scams that security awareness training used to focus on.
The IT Security Controls That Actually Stop Breaches
Here's where I want to get specific. Based on what's actually working — in incident response cases, in breach post-mortems, in the data — these are the controls that matter most.
1. Multi-Factor Authentication on Everything
MFA is the single highest-impact control you can deploy. The Change Healthcare breach happened because a remote access portal didn't have it. CISA has been practically begging organizations to enable MFA on all externally facing systems, and they're right.
Don't stop at email. Apply MFA to VPNs, cloud admin consoles, SaaS applications, and any system accessible from the internet. And push for phishing-resistant MFA — hardware security keys or FIDO2-based methods — rather than SMS codes, which can be intercepted through SIM swapping.
2. Security Awareness Training That Simulates Real Attacks
Annual compliance training — that 30-minute video your employees click through while checking their phone — doesn't change behavior. What does work: regular, realistic phishing simulations paired with immediate, constructive feedback.
Organizations that run monthly phishing simulations see measurable drops in click rates over time. The key is consistency and realism. If you haven't built a program yet, start with a structured phishing awareness training program for your organization that includes simulated attacks based on current threat intelligence.
Training shouldn't be punitive. It should be practical. Employees who understand how credential theft and social engineering work become your first line of defense, not your weakest link.
3. Zero Trust Architecture — Start Small
Zero trust isn't a product. It's a design philosophy: never trust, always verify. Every access request is authenticated and authorized regardless of where it comes from — inside or outside the network.
You don't need to overhaul your entire infrastructure overnight. Start with identity. Enforce least-privilege access. Segment your network so that a compromised workstation can't reach your domain controller. Verify device health before granting access. NIST's SP 800-207 Zero Trust Architecture framework is the best starting point if you need a structured approach.
4. Endpoint Detection and Response (EDR)
Traditional antivirus is dead for any organization facing real threat actors. EDR solutions monitor endpoint behavior, detect anomalies, and enable rapid response. They catch what signature-based tools miss — fileless malware, living-off-the-land techniques, and lateral movement.
If your IT security budget is limited, EDR gives you the best bang for your dollar after MFA. Make sure it's deployed on every endpoint, including servers, and that someone is actually monitoring the alerts.
5. Tested Backup and Recovery
Backups are your last line of defense against ransomware. But I've seen too many organizations discover their backups were corrupted, incomplete, or stored on the same network that got encrypted.
Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy stored offsite or offline. Test your restores quarterly. An untested backup is a hope, not a plan.
What Is IT Security? A Straight Answer
IT security is the practice of protecting an organization's information technology systems — networks, devices, data, and users — from unauthorized access, disruption, and theft. It encompasses technical controls like firewalls and encryption, administrative controls like policies and training, and physical controls like facility access restrictions. Effective IT security in 2024 requires a layered approach that addresses both technological vulnerabilities and human behavior.
The $4.88M Lesson Most Small Businesses Learn Too Late
Small and mid-sized businesses often assume they fly under the radar. The data says otherwise. The Verizon DBIR consistently shows that SMBs are targeted at disproportionate rates. Attackers know smaller organizations have thinner defenses and less capacity to respond.
The FTC has taken enforcement action against companies that failed to implement basic security measures. The message is clear: "we're too small to be a target" isn't just wrong — it's legally indefensible.
If you run a small or mid-sized organization, your IT security program doesn't need to be enterprise-grade. But it does need to exist. Start with these fundamentals:
- Enable MFA on all accounts, starting with email and admin access.
- Train your employees with real-world scenarios — not just a slide deck. A comprehensive cybersecurity awareness training course gives your team the knowledge they need without requiring a dedicated security staff.
- Patch your systems within 72 hours of critical vulnerability disclosures.
- Use a password manager and enforce unique passwords across all accounts.
- Maintain and test offline backups.
These five steps would have prevented the majority of breaches I've investigated or reviewed over the past three years.
Building an IT Security Culture, Not Just a Program
Controls fail when culture doesn't support them. I've seen organizations with world-class firewalls where employees prop open server room doors. I've seen companies with strict password policies where the Wi-Fi password is written on a whiteboard in the break room.
IT security culture means every person in your organization understands they have a role. The receptionist who questions an unfamiliar visitor. The accountant who calls to verify a wire transfer request. The developer who flags a suspicious API call in a code review.
Building this culture takes repetition, leadership buy-in, and a blame-free environment where people report mistakes instead of hiding them. Run tabletop exercises. Share real-world breach stories in team meetings. Celebrate employees who catch phishing simulations.
Make Security Reporting Easy
If your employees don't know how to report a suspicious email — or worse, they're afraid to — your detection capability is crippled. Deploy a one-click phishing report button in your email client. Respond to every report with acknowledgment and feedback. The goal is to make reporting a reflex, not a burden.
The Vendor Question: Tools vs. Outcomes
I talk to IT leaders every week who are drowning in security tools. They've got a SIEM, an EDR, a SOAR platform, a vulnerability scanner, a threat intelligence feed, and a dozen other acronyms. But they can't answer basic questions: When was the last time you tested your incident response plan? Do you know which systems hold your most sensitive data? Can you detect lateral movement in your network?
Tools serve the strategy. They don't replace it. Before you buy anything new, audit what you have. Are your existing tools configured correctly? Are alerts being reviewed? Are your policies enforced?
In my experience, the organizations with the strongest IT security posture aren't the ones with the biggest budgets. They're the ones with the clearest priorities and the most disciplined execution.
Your IT Security Checklist for the Rest of 2024
Here's what I'd prioritize if I were starting fresh today:
- Audit MFA coverage. Identify every system accessible from the internet and verify MFA is enabled. No exceptions.
- Launch a phishing simulation program. Monthly cadence, realistic scenarios, immediate training feedback.
- Review access controls. Remove dormant accounts. Enforce least privilege. Audit admin access monthly.
- Test your backups. Actually restore a system from backup this month. Document the process and time it.
- Patch aggressively. Prioritize internet-facing systems and known exploited vulnerabilities from CISA's KEV catalog.
- Invest in your people. Technical controls fail without trained users. Enroll your team in ongoing cybersecurity awareness training and pair it with a dedicated phishing awareness training program.
- Run a tabletop exercise. Simulate a ransomware attack with your leadership team. Identify gaps in communication, authority, and technical response.
None of these require a massive budget. All of them require commitment. IT security isn't about perfection. It's about making your organization harder to compromise than the one next door — and being ready to respond when something inevitably gets through.
The threat landscape in 2024 is faster, smarter, and more aggressive than ever. Your defenses need to keep pace. Start today.