I recently had, what I thought, was a unique brainwave. (Spoiler alert: it wasn\u2019t, but please read on!)<\/p>\n
As a marketing leader at ESET UK, part of my role is to communicate how our powerful and comprehensive solutions can be implemented to protect organisations, in a way that helps clarify the case for upgrading to higher levels of cybersecurity. And that need for clarity is now more urgent than ever.<\/p>\n
Cybersecurity leaders and agencies, including the UK\u2019s National Cyber Security Centre (NCSC<\/a>), are often quoted as saying that cyberattacks are not \u201ca matter of if, but when.\u201d So perhaps it\u2019s not too much of a stretch to describe every organisation as existing in a \u201cpre-breach state\u201d, or a condition where threats may already be present but stay under the radar.<\/p>\n Which brings to mind Schr\u00f6dinger\u2019s cat<\/a>, the famous thought experiment where a cat in a sealed box is simultaneously alive and dead \u2013 until you look inside. This might be challenging the analogy a bit, but in cybersecurity terms, your organisation lives in a similar state: it\u2019s both breached and not breached \u2013 until you look. Without visibility, you simply don\u2019t know. And by the time you do, the damage may already be done.<\/p>\n Accepting this reality demands a shift in mindset and a shift in strategy. Indeed, for organisations without the requisite tools for internal threat hunting and monitoring of malicious behaviour, one could further argue that this, actually, represents a duality of state encountered in quantum theory and, therefore, these organisations are in a kind of \u201cquantum breach state\u201d.<\/p>\n It came as no surprise when I found that my brainwave was shared<\/a> amongst at least a few others<\/a>, who had used this analogy<\/a> to explain the new reality and encourage organisations to revisit their cybersecurity strategy accordingly. A bit disappointing from an egotistical perspective, but also not too much because it\u2019s clearly a train of thought that resonated with at least those few, too.<\/p>\n But now I\u2019m going to pick holes in the analogy a little whilst hoping to underscore the key message.<\/p>\n The original thought experiment \u2013 first described by Austrian physicist Erwin Schr\u00f6dinger 90 years ago, almost to the day \u2013 relied on the random chance of the radioactive decay of an element emitting a particle that hit a detector, which triggered the release of poison into the box, thereby snuffing out the cat. This is a random chance determined by quantum decay, whereas the timing of the \u201cdetonation\u201d of malware by criminals within an organisation is, more often than not, planned.<\/p>\n The loose grouping of English-speaking criminals known as Scattered Spider, who were behind the Marks and Spencer (M&S) breach in the UK, were thought to have been moving through the company\u2019s systems undetected, for weeks<\/em><\/a>. This same group is thought to be behind the, oft-referenced, Jaguar Land Rover (JLR) breach, which is estimated to have cost over \u00a32 billion to the UK economy and is officially the costliest in UK history<\/a>.<\/p>\n It is fair to assume that the same tactics may have been employed, although details of how long the attackers were present in JLR\u2019s systems are sketchy<\/a>. In the case of M&S, the perpetrators spent a long (dwell) time \u2018living off the land\u2019, unleashing the chaos at the start of the Easter holiday weekend. The JLR attack, meanwhile, was triggered on the 31st<\/sup> of August 2025, on the eve of the UK car industry\u2019s equivalent of Christmas and Thanksgiving rolled into one: the new car registration day (\u201cnew plate day\u201d) on the 1st<\/sup> of September.<\/p>\n Random? I don\u2019t think so.<\/p>\n Therefore, the quantum breach analogy doesn\u2019t quite hold. If I were to venture a guess, the date was carefully planned for maximum disruption \u2013 and it worked spectacularly well for the attackers (and spectacularly badly for JLR, of course).<\/p>\n At this point, it\u2019s worth reminding ourselves of a few statistics. According to IBM\u2019s Cost of a Data Breach Report 2025<\/a>, the global mean time to identify and contain a breach (i.e., the entire breach lifecycle) is 241 days, while the mean time to identify a breach is 181 days \u2013 we\u2019re talking about big numbers here either way. The uncomfortable reality is that many organisations are breached long before they realise it. And the longer the dwell time, the more damaging the eventual \u201cdetonation\u201d of the attack is likely to be.<\/p>\n If, by now, you have accepted my \u201ctheory\u201d that your organisation is in a pre-breach state, you might now think about solutions. One such solution is, usually, procuring\/upgrading your security (i.e., buy a bigger lock) or go the whole hog and upgrade to EDR or XDR tools and then go threat-hunting. The latter would equate to \u201copening the box\u201d and observing, of course.<\/p>\n Opting for the former (bigger locks) doesn\u2019t necessarily help when you consider the insider threat and social engineering and other attack strategies employed by cybercrime groups like Scattered Spider, which were behind both JLR and Marks & Spencer breaches. No matter the size of the lock, stealing the keys (or having them, effectively, given away by clicking on a malicious link or being tricked into giving away or resetting a password<\/a>) makes them obsolete in this instance.<\/p>\n So, what about SOCs?<\/p>\n For this to work, of course, firstly you\u2019ll need to create a SOC of some sort and then staff it with security analysts. Very expensive and time-consuming \u2013 this can take months to set up and cost hundreds of thousands of pounds\/dollars\/euros. And that\u2019s even if you can recruit enough people due to the much reported, cybersecurity skills shortage. So, let\u2019s \u2018go commando\u2019 then; i.e., do it ourselves.<\/p>\n This option needs to be considered with caution \u2013 the skill required to operate these powerful tools is not to be underestimated and when they are activated, many (most\/all) organisations will find the sheer volume of telemetry, alerts and alarms so overwhelming that they end up disabling many of them just to dampen the noise. So, whilst the \u201cquantum state\u201d of the breach is now resolved \u2013 i.e., you\u2019re now observing your systems \u2013 it may create a worse situation and lead to a false sense of security. You now think <\/em>you\u2019re ok when you\u2019re potentially <\/em>not, because you may not have the requisite skills to properly analyse what\u2019s being observed.<\/p>\n Add to the mix that, here at ESET, we\u2019ve seen an increasing number of cyber insurance policies, shared by clients, that insist on EDR solutions being in place to even qualify for cover, which can leave security professionals with a real conundrum. Forced into using tools that require highly skilled operators, without the ability to use them correctly for the policy to remain applicable in the event of the (inevitable) breach. Stress is probably one of the words most used in cybersecurity teams the world over, when describing their day-to-day \u2013 and it\u2019s hardly surprising.<\/p>\n But there is a third way. Turning for help to the vendors that create the tools and offer services to threat hunt, monitor and remediate these threats is increasingly the direction of travel for organisations of all sizes. Managed detection and response (MDR) services resolve this dilemma: experts managing the tools, round the clock monitoring, proactive threat hunting, rapid detection and remediation, amongst others \u2013 this all de-stresses the situation, resolves the \u201cquantum breach state\u201d and defuses the cyber-bomb, and ultimately goes a long way to help meet insurance and compliance requirements and most importantly, mitigates the damage created by longer-dwelling APT and cybercrime groups.<\/p>\nRandom and not-so-random<\/h2>\n
Solutions: Locks and\/or SOCs<\/h2>\n
The reality check<\/h2>\n
\n
References:<\/h2>\n
\n