Trust, But Verify: What Pickleball Taught Me About Cybersecurity

The principle of least privilege isn't just a technical concept. It's how every good doubles team plays the game.

By Sammy Basu | Founder & CEO, Careful Security | March 5, 2026

I'm standing in a pickleball park. It's 8 AM, the sun is coming through the nets, and my partner and I are about to play a doubles match. Before the first serve, my partner says: 'I'll cover left, you cover right. Trust me to handle my side.' That's all it took. Two sentences. A clear division of responsibility.

What Does "Trust, But Verify" Actually Mean?

The phrase comes from a Russian proverb that Ronald Reagan made famous during nuclear arms negotiations: 'Doveryai, no proveryai.' Trust, but verify. In cybersecurity, the same principle applies. You trust your employees, your partners, your systems. But at the same time, you run your scripts. You look at your log files. You find out who has access, when they're accessing it, and whether all of them actually need it.

According to the Verizon Data Breach Investigations Report, credential misuse dominates the landscape of security incidents. The IBM Data Breach Report confirms that it takes an average of six to eight months to detect a breach. Six to eight months of someone walking through your hallways with a badge that should have been revoked.

The Principle of Least Privilege

Security is based on the principle of least privilege. You give each person access to exactly what they need to do their job, and nothing more. The Colonial Pipeline breach in 2021 started with a single compromised VPN account of a former employee. No multi-factor authentication. One password. $4.4 million in ransom paid, fuel shortages across the East Coast.

The UnitedHealthcare breach in 2024 started with a legacy server that didn't have multi-factor authentication enabled. Costs surpassed $1.6 billion. The Microsoft email breach in 2024 started with an old test account that didn't have MFA. See the pattern? Every one of these breaches traces back to someone having access they shouldn't have had, or access that wasn't properly verified.

Three Things Every Mid-Market Company Should Do This Week

1. 1.Audit Who Has Access to What — run a report of every user account, cross-reference with your current employee roster
2. 2.Enforce Multi-Factor Authentication Everywhere — not just on your email, not just on your VPN, everywhere
3. 3.Review Your Logs — who logged in at 2 AM? Who accessed the database from an IP address you don't recognize?

"Human error causes the majority of breaches: fix the humans before the firewalls."