What’s scarier than Jason Voorhees or Michael Myers coming at you, weapon in hand? How about a cybercriminal targeting your business or your customers?
And if that’s not enough to give you goosebumps, remember: You can always shut a horror movie off. Hackers will keep coming at you all day, every day. Forever. In fact, 94% of SMBs have experienced at least one cyberattack, according to ConnectWise’s The State of SMB Cybersecurity in 2024 report, up from 64% in 2019, and 78% of are concerned that a cyberattack could put them out of business.
For MSPs, the threat of cyberattacks and the potential damage associated with those attacks is chilling. We asked CompTIA Community members for their own cybersecurity horror stories. Here’s what they had to say…
Beware the Customer That Won’t Listen
We had a small client that brought us in about a decade ago. They had no firewall, endpoint protection, patching, backup, etc. We brought them into the 21st century and made them happy. Then they hired a very intelligent person that believed she knew IT better, and she convinced them to dismiss us, remove the firewall and AV, and boot us out.
They came back to us several years later when they could not engage in online banking. They even changed banks to avoid addressing security, but when the second bank said no, they called us. They were so badly penetrated that there were hundreds of admin accounts on their server, and we could not even stay logged in for five minutes without being booted out.
In the end we had to replace the server and desktops, place firewall and backup, setup a new productivity suite tenant, and change their domain name. Every aspect of their presence had been compromised dozens if not hundreds of times. They were happy as ever until we mandated MFA in 2021, at which point after months of struggle, they fired us rather than do it.
During that struggle, while on a 55-minute phone discussion over lunch with the principal, my two techs worked with his 12-person staff to get MFA enabled on Microsoft 365. I then told him that only he remained for MFA setup. That act of subverting his will on this was enough to get us fired on the spot. He moved to a provider that did not require a firewall, MDR or MFA.
Last month I discovered he booted that new provider when they enforced MFA. We often hear that either: (A) Once a business experiences a serious penetration, they “get religion” and stop fighting against securing them; or (B) Once they have two providers lay the same security talk on them, they accept that this is real and not something to be trifled with.
But apparently there’s also an option (C): Bury your head in the sand until the worst happens. Do yourself a favor: stay away from the C’s.
- Joshua Liberman, president and founder, Net Sciences
The Haunted Network…Is Alive
We were conducting a routine security assessment for a mid-sized client. Nothing unusual, just the typical process—interview their IT team, gather their asset inventory, assess potential risks. The kind of work we'd done a hundred times before. But from the very beginning, something felt... off.
When we first asked their IT department for a list of assets, they confidently handed over a report: 56 devices. That number seemed small, especially for an organization of their size. I glanced at my colleague, who raised an eyebrow. Something didn’t sit right.
So, we politely suggested a network scan. It was a simple request, but the reaction we got was defensive—borderline hostile. The IT team was visibly annoyed. One of them even scoffed at the suggestion, muttering something about how they knew their network better than we ever could.
Despite the tension, they begrudgingly ran the scan. When the report came back, our unease deepened. Instead of 56 assets, the scan revealed 130 devices—nearly triple the number they'd initially provided. When we asked about the other 74 unidentified assets, their IT department stared back at us, clueless. They had no idea what was lurking on their own network.
Things only got worse from there.
As we dug deeper, we uncovered an unsettling mess: old, forgotten Internet of Things (IoT) devices, long-abandoned printers, and servers past their end-of-life, all still connected to the same network. Many of these machines hadn’t been updated in years. They were vulnerable, sitting ducks, wide open for anyone—or anything—to exploit.
Next, we moved on to the data inventory. Their IT team walked us through the usual suspects: SharePoint, OneDrive, and two on-premises servers. Nothing unusual. But then, during one of the interviews, someone mentioned something peculiar—an "archive server." It was offhand, almost as if they hadn’t even realized it was still a part of their infrastructure.
Curious, we cross-referenced this so-called archive server with the list of unknown devices from the network scan. Sure enough, one of those mysterious assets was this server, a dusty relic from years past.
When we finally accessed it, we felt our stomachs drop. The server held decades' worth of data: old invoices, employee records, sensitive customer information. Everything was there, unsecured, sitting wide open on a network no one had monitored in years. Worse still, the server was at the end of its life, barely hanging on by a thread. It was a ticking time bomb of PCI and privacy violations.
But that wasn’t what unnerved me the most.
As I dug through the files, I noticed something strange. Folders appeared and disappeared, as if manipulated by unseen hands. I could hear the faint hum of the server, but there was a different kind of noise—a clicking, tapping sound that seemed to come from deep within the hardware itself.
I called my colleague over. "Are you seeing this?"
He nodded, pale. "It's like... it's alive."
The IT team swore no one had touched the server in years. It was forgotten, an artifact of a bygone era. But it was more than that. The deeper we went, the more it became clear—this wasn’t just an old server with sensitive data.
Something had been living in the dark corners of their network. Something had woken up.
It was a real server that posed a risk to the company. Once it was identified, we uncovered old sensitive data and archived company information and old invoices with client credit card numbers, etc. Then we were able to calculate and express to the executive team how much risk it posed so they could make a risk-based business decision on how to remediate the issue.
It was a good time to assess all the data that was stored, and we were able get rid of all unnecessary data. Everything else they wanted to keep was either archived or placed where needed with role-based access. The data was transferred to the cloud and an old on-prem server was decommissioned. So the risk was lowered and the network was more secure.
To us, the network wasn’t just vulnerable—it was haunted. And we were the ghostbusters.
- Maria Scarmardo, CEO, Praxis Data Security
The $80,000 Mistake
In cybersecurity, physical, financial and technological we recommend two-factor and I call two-person authentication. There's a Michigan company where they use two-person authentication of any bank account number and routing number changes for their vendors and clients.
But the two accounting personnel were moving fast and one shouted over the wall hey I've got a new account number for this client, should I make the change and the other answered, yes. They routed around $80,000 to the wrong vendor and made a huge mistake a huge, scary mistake.
First always use two-person or two-factor authentication for payroll accounting and password changes. Secondly slow down and review the facts by making a phone call or clearly confirming the accuracy of changes.
- Mike Ritsema, president, i3 Business Solutions