A breach claims the systems as well as the confidence that was, in retrospect, a major vulnerability
24 Apr 2026
•
,
5 min. read
There’s a bit of a pattern in the history of organizational failures that repeats too often to be a coincidence: A system runs smoothly for a long stretch, causing everyone to grow confident in it. Almost invariably, this also quietly erodes the vigilance that kept the system running smoothly in the first place. And then the system fails – at the precise moment when everyone involved would have told you it was in excellent shape.
Counterintuitive as it may sound, stability itself can be destabilizing. It breeds complacency, which then reduces investments in preparedness and widens the gap between actual and perceived risk. Author Morgan Housel compressed this pattern into six words: “calm plants the seeds of crazy.” This plays out rather visibly and with near-clinical regularity in financial markets, but since it’s woven into the warp and woof of human psychology, cybersecurity is by no means spared from it.
And so it is that a company that hasn’t been breached is prone to viewing its security posture as adequate. Calm feels like evidence that the danger has passed, which changes behavior in ways that reintroduce the danger. The assumption hardens quietly, even if no one may state it explicitly: if nothing’s gone wrong, then our controls must be excellent. But in some cases, this may be mistaking the absence of evidence for evidence of absence.
Or, viewed through another lens, the absence of a visible incident is just silence, and silence can mean several things. The company with an immaculate record may indeed have top-notch defenses. But it may also have avoided the attention of anyone ill-intentioned and dedicated enough yet – there are many fish in the sea, after all.
Which raises at least two questions worth asking: Do you know that your environment is as safe as it can be against threats doing the rounds now? Or do you only know that your (baseline) controls are in place? Many organizations answer the second question while believing that they’ve answered the first one. They may resort to compliance frameworks, although those don’t necessarily check whether the measures are adequate against the threats that are doing the rounds right now. So, a company could be compliant and exposed at the same time. (Can you, too, smell the paradox of Schrödinger’s cat?)
Yet more traps
The formal state of an organization’s security is easy to measure and – assuming all turns out well – also easy to feel good about. Whether an employee’s login credentials are changing hands on dark web marketplaces or whether your organization’s EDR tool can under some circumstances be defanged by an easily available ‘anti-tool’ – that’s harder to assess without looking in places many organizations don’t think to look.
Indeed, the human tendency, absent deliberate correction, is to lean on easily available information in order to build what it believes is a coherent story. This happens at the expense of hard-to-obtain information and with blissful disregard for which of the two categories is more instructive. Crucially, the mind doesn’t flag what’s missing – the picture feels complete and the confidence feels earned regardless. The late psychologist Daniel Kahneman coined an acronym for the habit: WYSIATI (What You See Is All There Is).
The problem may worsen further when you consider how many decision-makers think about risk: if something can’t be measured, it doesn’t matter. In practice, the opposite is often closer to the truth, to the point that the underlying problem has earned the status of a fallacy. Without further belaboring the point, suffice it to say now that once you see at least some of the traps, you can’t ‘unsee’ them.
In its 2025 Data Breach Investigations Report, Verizon put a number on how wide the gap between perceived security and actual exposure can get: it found that 54% of ransomware victims had their domains appear in at least one infostealer log or illicit marketplace posting before the attack. The access details were already circulating – and in some cases the breach may have already occurred – even when everything seemed in order.
This kind of blind spot hits hardest in companies whose security stack fails to flag attackers’ behavioral footprints, such as attempts to disable security processes. Remedying it requires changing what’s visible and using the right tools – the kind of tools that go beyond confirming that controls are in place and flag that something in the environment is behaving suspiciously.
When the confidence shatters
This all matters also because a ransomware intrusion is a business continuity event whose effects extend far and wide. When Change Healthcare fell victim to ransomware in 2024, the downstream impact on hospitals and pharmacies lasted months, not to mention that the incident hit nearly the entire U.S. population. The total cost was an estimated $3 billion. A ransomware attack on Jaguar Land Rover in 2025 caused similar financial damage.
Meanwhile, IBM puts the average cost of a data breach at around $5 million, including downtime, recovery, and downstream damage. Specifically for healthcare organizations, the average is almost $10 million. And the figures don’t capture the long tail, such as customer contracts that aren’t renewed or insurance premiums that spike.
The damage compounds over months and years, especially where stolen data ends up on a dedicated leak site (DLS), as is so often the case these days. The public exposure of corporate data triggers a crisis in its own right as the dumped contracts, emails and personal data become fodder for follow-on attacks, such as phishing and business email compromise (BEC) fraud.
Regulatory obligations also kick in soon enough. At the same time, customers and partners start asking questions that the company often even has no way of answering. And there’s still another caveat that defenders should keep in mind: the data only reflects what the criminals choose to ‘advertise’ – it’s thought that only a small portion of ransomware victims have their data dumped on the sites.
Discipline is everything
In addition to the right tools and people, security that holds up over time rests on the habit of watching and adapting. This all is predicated on awareness of what’s happening in the threat environment, not to mention your own IT environment.
Admittedly, maintaining constant vigilance in the absence of a visible and acute threat is expensive – psychologically, that is. Humans are poorly suited to staying alert for events that don’t feel imminent, and the drift towards complacency is so gradual that it rarely registers as a decision anyone made.
But as the threat side of the ‘equation’ never holds still, the defense side can’t, either. Threat intelligence, especially the kind that delivers a wealth of signals about active campaigns, is the backbone of that awareness. It’s what security tools can ‘convert’ into detections and alerts that let security teams act in time. Without it, the gap between what an organization believes about its security and what’s actually true may continue to widen – until it’s closed, rather expensively, by cybercriminals.
