{"id":8072,"date":"2026-06-09T12:00:00","date_gmt":"2026-06-09T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2026\/06\/09\/cybercriminals-the-auditors-you-never-hired\/"},"modified":"2026-06-09T12:00:00","modified_gmt":"2026-06-09T09:00:00","slug":"cybercriminals-the-auditors-you-never-hired","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2026\/06\/09\/cybercriminals-the-auditors-you-never-hired\/","title":{"rendered":"Cybercriminals: the ‘auditors’ you never hired"},"content":{"rendered":"

There\u2019s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It\u2019s known as the normalcy bias \u2013 what Dr. Lauren Braithwaite defines<\/a> as \u201cour tendency to underestimate the possibility of disaster and believe that life will continue as normal, even in the face of significant threats or crises.\u201d <\/em>It’s why people hesitate after fire alarms go off or delay reacting in other unfolding situations because things still appear manageable.<\/p>\n

As this bias can lead us to mistake familiarity for safety and assumptions for evidence, it\u2019s increasingly getting in the way of dealing with the cybersecurity reality. It causes people to underestimate the likelihood of a cyberattack or to interpret an absence of obvious problems or consequences as evidence that risks are under control. In practice, many organisations treat a lack of clear alerts from their chosen protection platform(s) as proof that everything is hunky-dory. Others fail to act quickly enough on warning signs because they assume that business will simply continue as usual.<\/p>\n

Meanwhile, despite a steady drumbeat of news headlines on breaches at organisations like M&S, JLR, and Co-op (and most breaches never actually make it to the front pages), and advice from the cybersecurity industry and government organisations about how to avoid becoming the next victim, the number of major incidents continues to rise at an eye-watering rate.<\/p>\n

The NCSC Annual Review 2025<\/a> reported 204 “nationally significant” cyberattacks in the 12 months to August 2025, a 130% increase from the 89 reported in the previous year. Of 429 total incidents, 18 were classified as “highly significant,” marking a 50% increase in severe incidents. Breach rates remain stubbornly high, which may reflect a creeping normalisation of breach risk and be seen as normalcy bias at scale<\/em>: the more common breach disclosures become, the less urgency each one may carry.<\/p>\n

Lessons learnt?<\/h2>\n

There\u2019s a phrase that is peddled out by governments and companies alike when a catastrophe of any type \u2013 including a cybersecurity breach \u2013 occurs: \u201cLessons have been learnt\u201d.<\/p>\n

But have they? The 130% increase in significant incidents between 2024 and 2025 severely challenges this assertion and points to lessons not being learnt, at a macro level. Seems like a big no!<\/p>\n

Last year I wrote a blog post<\/a> that may, in part, explain the psychological state after a breach. I argued that many companies are, in a sense, both breached and not breached, simultaneously, and I likened this situation to Schr\u00f6dinger\u2019s cat. Until you open the box<\/em> by interrogating logs or actively searching for a compromise, the comfort of \u201cwe haven\u2019t been breached\u201d merely reflects the fact that no-one has actually checked. In fact, this reluctance to look could also be normalcy bias quietly doing its work.<\/p>\n

\u201cLessons have been learnt\u201d is the aftermath of opening the box, finding the cat to be (unfortunately) deceased, and then declaring: \u201cwe know what\u2019s happened, <\/em>we\u2019ve got a handle on this, don\u2019t worry\u201d. <\/em>This is narrative, not evidence of a meaningful change in approach.<\/p>\n

By contrast, real learning is a proactive process that changes how organisations need to behave. This should be reflected in changes to budgets, policies, rules, recovery planning, supplier scrutiny, logging, monitoring, training, and the tolerance for error, to name just a few things. And all done before the inevitable breach takes place. It\u2019s much more difficult to hit a moving target, after all.<\/p>\n

So, if we can accept that normalcy bias is a common and human cognitive condition, we can progress towards avoiding complacency before a breach and minimise its impact. \u2018To err is human\u2019, but now we know what the failing is, we have an imperative to act upon that knowledge \u2013 and do things differently.<\/p>\n

Endgame: what if we still don\u2019t recognise this bias?<\/h2>\n

The criminal \u2018auditors\u2019 are banking on human error. After all, it\u2019s why phishing is still one of the most prevalent ways that breaches occur.<\/p>\n

There are two main ways in which the endgame plays out in cybersecurity.<\/p>\n

Either we regularly audit ourselves \u2013 run penetration testing, red\/blue\/purple team and other attack simulation exercises, regularly re-evaluate the threat landscape, and invest in our security provision as part of our cyber resilience strategy.<\/p>\n

Or we allow cybercriminals to do the \u2018audit\u2019 for us. They rely on a false sense of security (literally), and this is the chink in the armour they exploit.<\/p>\n

Criminals \u2018auditing\u2019 you can be brutal, costly, devastating and, in many cases, terminal for organisations. That is why this metaphor matters \u2013 cybercriminals discover the gap between what an organisation believes<\/strong> about its security and what the reality<\/strong> is.<\/p>\n

To put things into perspective, ESET\u2019s threat intelligence<\/a> processes 750,000 suspicious samples, analyses 2.5 billion URLs while blocking 500,000 of them \u2013 every day. Threat actors are relentless, and as their attacks become more and more sophisticated, we have to ditch any thought that we are impervious. We must accept that normalcy bias exists and act upon it.<\/p>\n

\n

In the face of a number of high-profile retail breaches in the UK, ESET conducted research with 2,000 consumers. The resulting report<\/a> revealed, amongst other things, that 46% of shoppers said it would take them 5+ months to rebuild trust after a data breach. That\u2019s an expensive audit! One needs to do the simple math to estimate the direct financial damage if that\u2019s all the senior management are interested in. All on its own this should suffice despite the fact this is often the tip of a very painful iceberg.<\/p>\n<\/div>\n

The bottom line<\/h2>\n

An aspect of normalcy bias that I find most intriguing is that, despite the increased sophistication, speed, volume and variety of attack vectors we are all aware of, our approach to cyber resilience strategies often remains rooted in the past \u2013 even if it is relatively recent past. But time passes quickly in cybersecurity, and in the 4 or 5 minutes it\u2019s taken you to read this article, ESET will have processed over 2,000 suspicious samples and scanned approx. 7 million URLs blocking approx.1,500 of them.<\/p>\n

When asking why we should review cybersecurity services provision, are we accounting for all parameters that have changed (globally as well as locally) in the last few years and how it could affect our current security posture?<\/p>\n

Right off the top of your head, you could probably name at least a few of these:<\/p>\n