Security by Default: Washington’s Failure. Maria’s $325,000 Bill.
When MFA is optional, businesses get wrecked
Slides sit on servers. Reports get skimmed. But a good story gets retold. I write Stan’s Corner so every reader has something sticky they can share—with their team, their clients, their boss. Because that’s how change spreads.
2 A.M.
The call came at 2 a.m., waking Maria from a sound sleep. It was her IT Director. “The network’s down,” he said. Drivers at María Alvarez’s $40 million logistics company were stranded. Their customers couldn’t track shipments. The business she had built over 15 years was frozen.
Attackers had come in through a new scheduling app. Like nearly all software, it shipped with little security turned on by default. It had lots of security options, including over 100 specific items that IT had to go through and set. And sure enough, María’s IT staff missed a setting. The cyber criminals found the hole, slipped in, stole sensitive information, and launched a ransomware attack.
The Bill
The costs were brutal:
Ransomware Payment: $125,000
Forensics and recovery: $175,000
Customer notification and credit monitoring: $85,000
Legal and compliance counsel: $60,000
Lost business during disruption: $250,000+
The final price – even after insurance - was more than $350,000.
The Fallout
Three days of downtime resulted in unhappy customers. Many left to new vendors. The sales staff spent weeks running damage control and couldn’t meet their sales quota. Morale sucked, particularly in the IT team. All of it set up to fail by a vendor that made it hard for IT to implement security.
Lessons Learned
This wasn’t María’s failure. It wasn’t even her IT team’s. This is a failure right out of Washington.
Decades ago, carmakers treated seat belts as optional. Then government stepped in and made them mandatory. Today, you don’t buy a car and then decide whether to add safety—it comes standard.
Our technology isn’t there. If carmakers sold vehicles like technology companies license applications, seat belts would arrive in a box with instructions for your mechanic. Brakes too. That’s what “MFA optional” really means.
Secure by Default flips the model. When IT installs it, all the security configurations are turned on. Out of the box. So it’s safe to use on day one.
Washington: Until you act, businesses like María’s will keep waking up at 2 a.m. to six-figure bills. We need you to do better. Security by Default is needed for the common defense and to promote the general welfare. Can we get this done?
Bottom line: Seat belts aren’t optional in cars. MFA shouldn’t be optional in software.
Call to Action:
IT Departments and MSPs need to check, double check, and triple-check the completeness and correctness of security configurations. Take nothing for granted.
If this story motivates you to want to do better, please reach out. I’m the founder / president of SecureTheVillage, a nonprofit making a difference. We work with smaller businesses, nonprofits, and the MSPs who serve them. Email me now to protect your assets and minimize the impact of inevitable disruption. StanStahl@Substack.com.