"I Was the Breach": A $3M Ransomware Wake-Up Call

In the debut episode of the Control D Podcast, Yegor Sak and Alex Paguis sit down with Matt Lee, Senior Director of Security and Compliance at PAX8, to discuss his journey from humble beginnings in IT to leading security efforts in high-stakes environments.

Matt’s story isn’t just about the typical tech challenges; it’s about a seismic shift in how security is understood and approached. Through his experiences in the world of Managed Service Providers (MSPs), Matt highlights the growing importance of proactive cybersecurity, the consequences of ignoring it, and the critical need for businesses to evolve their security strategies to keep pace with emerging threats.

Matt starts by sharing a harrowing story from his time working at a Managed Service Provider (MSP), where a ransomware attack led to $3 million in losses, 26 client disruptions, and a complete rethinking of how organizations need to approach security.

This is more than just another cautionary tale. Matt’s story isn’t just about what went wrong; it’s about the painful lessons learned that reshaped his understanding of cybersecurity leadership. If you’re in security, you’ll recognize the critical turning points where businesses often falter, and how proactive measures can mean the difference between surviving a breach and getting buried by it.

The Wake-Up Call: From MSP Technician to Security Leader

Matt’s journey into security wasn’t planned. Like many in the field, it started as an accident, a career driven by curiosity and a passion for technology. As a kid, Matt was already tinkering with computers, running his own Bulletin Board System (BBS), and, yes, getting a little too creative with AOL to get free modems. But it wasn’t until he found himself working at an MSP that he started to realize just how big the stakes were in the world of cybersecurity.

“I didn’t set out to be a security guy,” Matt admits. “I just wanted to fix things. But then came the reality of being the guy to fix the stuff that went wrong. That’s when the lightbulb went off.”

The issue? Many businesses, particularly small and medium-sized companies, were still using a reactive approach to security — responding to breaches as they happened. As Matt would soon discover, this strategy would cost them.

The Ransomware Crisis: A $3M Fallout and 26 Disrupted Clients

When a ransomware attack hit Matt’s MSP, it wasn’t just a minor inconvenience. It was a wake-up call that rattled the entire organization. What began as a routine day quickly spiraled into a multi-million-dollar crisis.

The impact was staggering: 26 client businesses were affected, and the financial toll was immediate. The breach triggered a flurry of insurance claims, lawsuits, and layoffs as the company scrambled to recover. The ripple effect was felt throughout the entire industry.

Matt reflected, “I realized that businesses weren’t just losing money from these breaches. They were losing their ability to function. Clients couldn’t access their own systems. People lost jobs. The emotional toll was devastating. It wasn’t just about fixing computers anymore; it was about repairing lives and reputations.”

What Went Wrong? The Hidden Risks of Security Shortcuts

In the aftermath of the attack, Matt’s team began investigating what went wrong. One of the critical issues? Due diligence gaps during a company merger that had hidden a ransomware time bomb.

The organization had acquired another MSP without fully vetting their security posture, and this lapse in judgment left them with a compromised system before the deal was even closed.

“Imagine this,” Matt said. “We bought a company mid-breach, and we didn’t even know it. That’s like buying a car with a ticking time bomb in the trunk. It was a wake-up call that security can’t just be an afterthought when you’re making decisions. It needs to be embedded into the fabric of every choice, every acquisition, every plan.”

The breach had devastating consequences, but it also drove home a point that would become a cornerstone of Matt’s security philosophy: security by design was no longer optional — it was mandatory.

The Real Cost of Reactive Security: Layoffs, Lawsuits, and Insurance Gaps

The aftermath of the attack stretched for 18 months. The MSP’s clients were left scrambling to restore their operations, and insurance companies were drawn into lengthy, complicated claims processes. But one of the most eye-opening aspects of Matt’s experience was how insurance gaps exacerbated the damage.

"One thing that really stood out to me was the insurance coverage," Matt shared. "We had an indemnification policy that was supposed to protect us, but it was full of holes. The company was covered for $1 million in damages, but when the attack escalated, the insurance only paid out $280,000 — leaving us with $3 million in losses."

This scenario revealed the true cost of a reactive approach to security: not just the immediate financial loss but the ripple effect on operations, trust, and reputation.

A New Philosophy: Live Compromised and Secure by Demand

From the wreckage of the breach, Matt developed a new philosophy that he calls “Live Compromised”. “You can’t ever really eliminate the risk, but you can minimize it,” Matt explained. “In a perfect world, every business would act as if they’re already compromised. It’s not about assuming it won’t happen — it’s about assuming it has happened and planning around that.”

This approach emphasizes constant vigilance — actively monitoring for threats and addressing them before they escalate into a full-blown crisis. It’s about building resilience into every layer of your security systems, rather than relying on lucky breaks or hoping your systems are secure enough.

In addition to this proactive mindset, Matt also coined the term “Secure by Demand”, which challenges the industry’s standard approach to security.

“Most businesses wait until they experience a breach to act. But security should be demanded, not just reacted to. The time to secure your systems is now, not after the damage is done.”

Why Security Maturity is the New Battleground

One of the key takeaways from Matt’s journey is that security maturity is no longer just about having the right tools. It’s about having the right mindset. In a world where cyberattacks are becoming more sophisticated, businesses must develop a culture of security awareness at every level of their organization.

“Security maturity is the real battleground now,” Matt said. “It’s not about the tools you use; it’s about how prepared you are and how vigilant you stay. The businesses that make security a priority, that build it into their culture, are the ones that are going to thrive.”

The Takeaway: A Call to Action for CISOs, MSPs, and IT Leaders

Matt’s story serves as a powerful reminder for CISOs, MSPs, and IT leaders everywhere. Security is a journey, not a destination. While tools and technologies are crucial, mindset is what truly makes the difference. A shift toward proactive defense, continuous monitoring, and security by design is the only way to stay ahead of evolving threats.

“Don’t wait for the breach to happen. Act now — secure your systems before they are compromised.”

Ready to Move Beyond Reactive Security?

In the world of cybersecurity, waiting for the worst-case scenario to unfold is a gamble no organization can afford to take. Take a page from Matt’s book and make proactive security a cornerstone of your strategy today.

Want to learn more about proactive security measures and how they can protect your business? Discover more about how Control D can help you stay one step ahead of cyber threats.