Security Basics Lesson 2 – Why Cybersecurity Matters | Dataplexa

Security Basics

I. Core Security Fundamentals
1. What is Cybersecurity 2. Why Cybersecurity Matters 3. Types of Cyber Threats 4. Vulnerabilities, Risks & Exploits 5. CIA Triad 6. Authentication vs Authorization 7. Security Policies & Procedures 8. Defense in Depth 9. Security Best Practices 10. Introduction to Security Careers
II. Systems, Network & App Security
11. OS Security Basics 12. Linux Security Fundamentals 13. Windows Security Fundamentals 14. Network Security Basics 15. Firewalls & Access Control 16. Secure Network Architecture 17. Application Security Basics 18. Web Security Fundamentals 19. Security Misconfigurations 20. Security Hardening Basics
III. Threats, Attacks & Prevention
21. Malware Types & Analysis 22. Phishing & Social Engineering 23. Password Attacks & Protection 24. Insider Threats 25. Denial of Service Attacks 26. Man-in-the-Middle Attacks 27. Web Application Attacks 28. Data Breaches & Case Studies 29. Security Monitoring Basics 30. Incident Response Introduction
IV. Governance, Risk & Real World
31. Risk Management Basics 32. Security Compliance Overview 33. ISO 27001 Fundamentals 34. SOC & Security Operations 35. Logging & Auditing 36. Security Tools Overview 37. Cloud Security Basics 38. Security Automation 39. Security Best Practices Checklist 40. Mini Project – Security Assessment
Section I · Lesson 2

Why Cybersecurity Matters

This lesson covers

The real cost of a breach → Every industry is a target → Why the threat landscape keeps growing → Why organisations underinvest → Practical port exposure audit

In 2021, a ransomware attack on Colonial Pipeline — the company responsible for nearly half of the US East Coast's fuel supply — forced a five-day shutdown. Petrol stations ran dry across multiple states. The company paid $4.4 million in cryptocurrency to get their systems back. The attackers got in through a single compromised VPN password that had no multi-factor authentication on it. One password. Half a country's fuel supply.

The actual cost of a breach

Most people think about cyberattacks in terms of data theft — credit card numbers, passwords, personal records. That's real, but it's only one dimension of the damage. The full cost of a breach typically has four parts, and the visible one is often the smallest.

Direct financial loss

Ransom payments, stolen funds, emergency IR costs, legal fees, regulatory fines. The IBM Cost of a Data Breach report puts the global average at over $4 million per incident.

Operational disruption

Systems offline, staff unable to work, production halted, orders not fulfilled. For manufacturers and hospitals, downtime has a direct human cost beyond money.

Reputational damage

Customer trust takes years to build and hours to destroy. After the 2018 British Airways breach, the airline lost a significant portion of customers who switched carriers permanently.

Regulatory penalties

GDPR fines alone can reach 4% of global annual revenue. British Airways was initially fined £183 million for their 2018 breach. Compliance failures compound the original damage.

The reputational damage is the one that boards are most afraid of, and rightfully so. You can recover financially from a breach. Recovering customer trust after you've made the headlines for losing their data is a multi-year project — if it happens at all.

Every industry is a target now

There's a persistent myth that cybersecurity is a tech company problem. That hackers go after banks and software firms, and that a regional manufacturer or a local hospital doesn't need to worry much. This was never fully true, and it's catastrophically wrong today.

In 2020, a ransomware attack on Düsseldorf University Hospital in Germany caused patient care to be diverted to other facilities. A woman in critical condition who needed emergency treatment died after her ambulance was rerouted to a hospital 30 kilometres away. That is a direct, traceable line from a cyberattack to a human death. Cybersecurity stopped being abstract a long time ago.

Attackers target organisations based on two things: the value of what they hold and the weakness of their defences. Small organisations with outdated systems and no dedicated security staff are frequently easier targets than large enterprises with mature security programmes — even if the payout is smaller. Ransomware groups run this as a business. They optimise for return on effort.

The threat landscape is getting worse, not better

The volume and sophistication of attacks has increased every year for the past decade. There are three structural reasons for this that aren't going away.

The attack surface keeps expanding. Every IoT device, every cloud workload, every remote employee laptop is a potential entry point. The average enterprise now has tens of thousands of assets connected to the internet. Each one is an opportunity.

Attacks are increasingly commoditised. Ransomware-as-a-Service means that technically unsophisticated criminals can now rent attack infrastructure, pick a target, and split the proceeds with the group that built the tooling. The barrier to entry for launching a serious attack has dropped dramatically.

Nation-state actors have raised the stakes. The 2020 SolarWinds attack — where Russian intelligence compromised a software update mechanism and used it to infiltrate US government agencies, intelligence services, and major corporations — showed that the most dangerous adversaries aren't individual criminals. They're well-funded, patient, and operating at a scale that's difficult to defend against.

The SolarWinds Attack — Scale of the Problem

In 2020, attackers inserted malicious code into a legitimate software update for SolarWinds Orion — an IT monitoring tool used by thousands of organisations. When those organisations applied what looked like a routine update, they unknowingly installed a backdoor. Approximately 18,000 organisations installed the compromised update, including the US Treasury, the Department of Homeland Security, and multiple Fortune 500 companies. The attackers had been inside some of these networks for months before anyone noticed.

Why organisations still get this wrong

Given all of the above, you'd think organisations would be investing heavily in security. Many are. Many still aren't — and the reasons are predictable.

Security is invisible when it works. When a firewall blocks an attack, nobody sees it. When a phishing email is quarantined, nobody gets a notification. Good security is the absence of bad events, which makes it hard to justify budget for something whose value only becomes obvious when it fails.

The "it won't happen to us" bias. This is especially common in smaller organisations and in sectors that don't see themselves as obvious targets — manufacturing, logistics, local government. The 2021 attack on a water treatment plant in Oldsmar, Florida, where an attacker remotely changed the sodium hydroxide level in the water supply to a potentially lethal concentration, is a useful corrective to that assumption.

Security is seen as a cost centre, not a risk function. The organisations that handle this best frame security as risk management — the same way they'd think about fire insurance or business continuity planning. The ones that handle it worst treat it as an IT expense to be minimised.

What a basic security posture check looks like

Here's a command that helps you quickly audit which ports are exposed on a Linux system — one of the first things an attacker would check, and one of the first things a defender should verify:

# List all open ports and the services listening on them
# ss = socket statistics (modern replacement for netstat)
# -t = TCP connections only
# -u = UDP connections
# -l = listening sockets only
# -n = show port numbers, not service names
# -p = show the process using each socket
ss -tulnp
Netid  State   Recv-Q  Send-Q  Local Address:Port   Peer Address:Port  Process
tcp    LISTEN  0       128     0.0.0.0:22            0.0.0.0:*          users:(("sshd",pid=892,fd=3))
tcp    LISTEN  0       511     0.0.0.0:80            0.0.0.0:*          users:(("nginx",pid=1134,fd=6))
tcp    LISTEN  0       511     0.0.0.0:443           0.0.0.0:*          users:(("nginx",pid=1134,fd=7))
tcp    LISTEN  0       128     127.0.0.1:3306        0.0.0.0:*          users:(("mysqld",pid=1421,fd=23))
tcp    LISTEN  0       128     0.0.0.0:8080          0.0.0.0:*          users:(("java",pid=2981,fd=12))
tcp    LISTEN  0       128     0.0.0.0:5900          0.0.0.0:*          users:(("Xvnc",pid=3102,fd=7))
udp    UNCONN  0       0       0.0.0.0:68            0.0.0.0:*          users:(("dhclient",pid=611,fd=6))
udp    UNCONN  0       0       127.0.0.1:323         0.0.0.0:*          users:(("chronyd",pid=714,fd=5))

What you're looking at

Port 22 (SSH) and ports 80/443 (web) are expected. Port 3306 (MySQL) is bound only to localhost — good, it shouldn't be internet-facing. But port 8080 is listening on all interfaces (0.0.0.0), which means it's accessible from the internet. And port 5900 is VNC — a remote desktop protocol — also open to the world. That's two serious exposure points on what looks like a production server. An attacker running a port scan would find both of these in seconds. A defender running this command finds them first.

Instructor's Note

Run ss -tulnp on any server you manage and actually look at the output. You will almost always find something that shouldn't be there — a service that got installed during testing and never removed, a port that was opened for a one-off task and forgotten. This is one of the most useful five-second security checks in existence.

Practice Questions

The Colonial Pipeline attack caused fuel shortages across the US East Coast for five days. Beyond the ransom payment, what category of breach cost does this represent?




What model has lowered the technical barrier for criminals to launch serious ransomware attacks, allowing non-technical attackers to rent ready-built attack infrastructure?




Looking at the ss -tulnp output above, which port number represents an exposed VNC remote desktop service that should concern a security reviewer?



Quiz

What was the initial entry point in the 2021 Colonial Pipeline ransomware attack?



Why was the 2020 SolarWinds attack considered particularly significant?



Why do many organisations consistently underinvest in cybersecurity despite the clear evidence of risk?


Up Next · Lesson 3

Types of Cyber Threats

Malware, phishing, ransomware, insider threats — a clear map of every major threat category and how each one actually works.

← Previous Course Index Next →