Stop Blaming the User: One Weak Password Shouldn’t Kill a Company

“One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.” That line has been making the rounds in media coverage of the ransomware attack that shuttered a 158-year-old UK transport firm.  

It’s attention-grabbing, sure, but it’s also completely misleading. It suggests that a single weak password brought down an entire business, when the reality is far more complex. And by framing it this way, we’re not just oversimplifying the problem. We’re scapegoating the very people we’re supposed to protect.

Let’s get this straight: security is a process, not a product or a single point of failure.  

That password may have been the entry point, but it wasn’t the only point of failure. If a single compromised credential is all it takes to dismantle a company’s entire digital infrastructure, then the problem isn’t the password. The problem is the security architecture that allowed such a trivial mistake to lead to total operational collapse.

That's like saying a passenger in a car could mistakenly push the wrong button on the dashboard and the whole car blows up. If that's the case, then don’t design the car like that.

The Myth of the All-Powerful Click

The trope of the “human as the weakest link” gets rolled out after every major security incident. A user clicked a phishing email. A password was too simple. An attachment got opened. Someone was doing their job. Then suddenly, they are the villains of the story, while the dozens of security controls the attackers navigated around are conveniently left out of the postmortem.

Here’s what a ransomware attack actually involves: after gaining initial access with a compromised account (maybe due to password spraying, phishing, or credential reuse), the attacker still has to establish command and control channels with the compromised system.  

From there, they escalate privileges using tools like Mimikatz, steal tokens, or exploit misconfigured Active Directory. Then they move laterally across the environment using things like RDP, PSExec, SMB, or remote management tools to crawl through the network.  

They search for and exfiltrate sensitive data, sometimes using cloud services or staging servers to prep for the extortion piece. Only then do they drop an encryption payload, often customized and automated, disabling recovery options and delivering a ransom note.

At every step in that chain, the attacker is bypassing or defeating layers of security controls. Endpoint protections, identity and access management, network segmentation, logging and detection, user behavior analytics, EDR, backup and recovery processes. Where were all of those? Why are we not asking those questions?

Security Programs Built Like Houses of Cards

If all it takes is one bad password to bring down the business, then what does that say about the architecture of the security program? It doesn’t say the user is the problem. It says resilience was never actually built into the program.

And that’s the real issue here. Too often, security programs are brittle. They depend on ideal user behavior (or lack of behavior). They assume training will close the gap. They treat human error as an edge case instead of the norm.

But guess what? People click on links. They get tricked. They reuse passwords. They try to get their tasks done as quickly and easily as possible. They sometimes work around security controls in order to get their job done. That’s not malice or incompetence. It’s being human.  

If your entire security posture hinges on the assumption that your users won’t make mistakes, then you don’t have a security program. You have a security wish list.

Let the Widget Makers Make Widgets

Cybersecurity professionals love to talk about enabling the business, but blaming the user is the opposite of that. We’re telling people not to mess up or they might tank the whole company. That’s not security. That’s anxiety.

The goal should be to design environments where human error doesn’t lead to total failure. Let the widget makers make widgets. Let the finance team run payroll. Let the ops team keep the lights on. And let the security team reduce risk so they can do their jobs without wondering if one click is going to land them on the evening news.

Good employee training is important. Cyber hygiene matters. But users are not security professionals. Expecting them to act like one under pressure, fatigue, or deception is unrealistic. More importantly, it’s unnecessary. A mature security program assumes users will make mistakes and is built to absorb them, not collapse under them.

Stop the Scapegoating

When we reduce a complex ransomware attack to “a weak password did it,” we’re not just misleading the public. We’re diminishing our own profession. If your job is cybersecurity and your only line of defense is hoping users don’t click bad things, then what are you actually doing?

We should be building layered defenses, monitoring for anomalies, segmenting critical systems, disabling unnecessary tools, removing legacy exposure points, and preparing response plans. We should be building secure systems that expect failure, not ones that require perfection.

Blaming the end user might be convenient, but it’s a cop-out. It’s time to retire the myth of the all-powerful click and acknowledge the real responsibility we carry: to build systems that are resilient even when, not if, someone makes a mistake.

Because if all it takes is one bad password to destroy your business, then your problem isn’t the password. It’s everything else.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.