And so it is that a company that hasn\u2019t been breached is prone to viewing its security posture as adequate. Calm feels like evidence that the danger has passed, which changes behavior in ways that reintroduce the danger. The assumption hardens quietly, even if no one may state it explicitly: if nothing\u2019s gone wrong<\/a>, then our controls must be excellent. But in some cases, this may be mistaking the absence of evidence for evidence of absence.<\/p>\n Or, viewed through another lens, the absence of a visible incident is just silence, and silence can mean several things. The company with an immaculate record may indeed have top-notch defenses. But it may also have avoided the attention of anyone ill-intentioned and dedicated enough yet \u2013 there are many fish in the sea, after all.<\/p>\n Which raises at least two questions worth asking: Do you know that your environment is as safe as it can be against threats doing the rounds now? Or do you only know that your (baseline) controls are in place? Many organizations answer the second question while believing that they\u2019ve answered the first one. They may resort to compliance frameworks, although those don\u2019t necessarily check whether the measures are adequate against the threats that are doing the rounds right now. So, a company could be compliant and exposed at the same time. (Can you, too, smell the paradox of Schr\u00f6dinger’s cat<\/a>?)<\/p>\n The formal state of an organization\u2019s security is easy to measure and \u2013 assuming all turns out well \u2013 also easy to feel good about. Whether an employee\u2019s login credentials are changing hands on dark web marketplaces or whether your organization\u2019s EDR tool can under some circumstances be defanged<\/a> by an easily available \u2018anti-tool\u2019 \u2013 that\u2019s harder to assess without looking in places many organizations don\u2019t think to look.<\/p>\n Indeed, the human tendency, absent deliberate correction, is to lean on easily available information in order to build what it believes is a coherent story. This happens at the expense of hard-to-obtain information and with blissful disregard for which of the two categories is more instructive. Crucially, the mind doesn\u2019t flag what\u2019s missing \u2013 the picture feels complete and the confidence feels earned regardless. The late psychologist Daniel Kahneman coined an acronym for the habit: WYSIATI (What You See Is All There Is).<\/p>\n The problem may worsen further when you consider how many decision-makers think about risk: if something can\u2019t be measured, it doesn\u2019t matter. In practice, the opposite is often closer to the truth, to the point that the underlying problem has earned the status of a fallacy<\/a>. Without further belaboring the point, suffice it to say now that once you see at least some of the traps, you can\u2019t \u2018unsee\u2019 them.<\/p>\n In its 2025 Data Breach Investigations Report<\/a>, Verizon put a number on how wide the gap between perceived security and actual exposure can get: it found that 54% of ransomware victims had their domains appear in at least one infostealer log or illicit marketplace posting before the attack. The access details were already circulating \u2013 and in some cases the breach may have already occurred \u2013 even when everything seemed in order.<\/p>\n This kind of blind spot hits hardest in companies whose security stack fails to flag attackers\u2019 behavioral footprints, such as attempts to disable security processes<\/a>. Remedying it requires changing what\u2019s visible and using the right tools<\/a> \u2013 the kind of tools that go beyond confirming that controls are in place and flag that something in the environment is behaving suspiciously.<\/p>\n This all matters also because a ransomware intrusion is a business continuity event whose effects extend far and wide. When Change Healthcare fell victim<\/a> to ransomware in 2024, the downstream impact on hospitals and pharmacies lasted months, not to mention that the incident hit nearly the entire U.S. population. The total cost was an estimated $3 billion. A ransomware attack on Jaguar Land Rover in 2025 caused similar financial damage.<\/p>\n Meanwhile, IBM puts the average cost of a data breach<\/a> at around $5 million, including downtime, recovery, and downstream damage. Specifically for healthcare organizations, the average is almost $10 million. And the figures don\u2019t capture the long tail, such as customer contracts that aren\u2019t renewed or insurance premiums that spike.<\/p>\n The damage compounds over months and years, especially where stolen data ends up on a dedicated leak site<\/a> (DLS), as is so often the case these days. The public exposure of corporate data triggers a crisis in its own right as the dumped contracts, emails and personal data become fodder for follow-on attacks, such as phishing and business email compromise<\/a> (BEC) fraud.<\/p>\n Regulatory obligations also kick in soon enough. At the same time, customers and partners start asking questions that the company often even has no way of answering. And there\u2019s still another caveat that defenders should keep in mind: the data only reflects what the criminals choose to \u2018advertise\u2019 \u2013 it\u2019s thought that only a small portion of ransomware victims have their data dumped on the sites.<\/p>\n In addition to the right tools and people, security that holds up over time rests on the habit of watching and adapting. This all is predicated on awareness of what\u2019s happening in the threat environment, not to mention your own IT environment.<\/p>\n Admittedly, maintaining constant vigilance in the absence of a visible and acute threat is expensive \u2013 psychologically, that is. Humans are poorly suited to staying alert for events that don\u2019t feel imminent, and the drift towards complacency is so gradual that it rarely registers as a decision anyone made.<\/p>\n But as the threat side of the \u2018equation\u2019 never holds still, the defense side can\u2019t, either. Threat intelligence, especially the kind that delivers a wealth of signals about active campaigns, is the backbone of that awareness. It\u2019s what security tools can \u2018convert\u2019 into detections and alerts that let security teams act in time. Without it, the gap between what an organization believes about its security and what\u2019s actually true may continue to widen \u2013 until it\u2019s closed, rather expensively, by cybercriminals.<\/p>\nYet more traps<\/h2>\n
![\"eti-ecrime\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/04-26\/eti-ecrime.png\" "\\"\\"")
<\/a><\/p>\nWhen the confidence shatters<\/h2>\n
![\"eset-world-2026-invite\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/04-26\/eset-world-2026-invite.png\" "\\"\\"")
<\/a><\/p>\nDiscipline is everything<\/h2>\n