The organisations that experienced the most damaging breaches in 2024 were not, for the most part, naive about cybersecurity. They had firewalls. They had antivirus software. Many had compliance certifications. A significant number had dedicated security teams. What they lacked was something harder to buy and harder to audit: a coherent security posture built around how attackers actually operate — not how security vendors position their products.
The gap between the security posture most organisations believe they have and the security posture they actually have is where most breaches occur. It is a gap measured not in tools, but in architecture, process, and organisational culture. And in 2025, as threat actors deploy AI at scale and identity-based attacks displace perimeter exploitation as the primary attack vector, that gap is becoming expensive in ways that are difficult to recover from.
This article is a hard look at what the current threat environment actually demands — grounded in the data, specific about the failures, and direct about what genuine resilience requires.
The 2025 threat landscape in numbers
The IBM Cost of a Data Breach Report 2024 — the most comprehensive annual benchmark on breach economics — put the global average breach cost at $4.88 million, a 10% increase over 2023 and the highest figure in the report's 19-year history. For organisations in highly regulated sectors — healthcare, financial services, critical infrastructure — the numbers are dramatically worse: healthcare breaches averaged $9.77 million per incident, a figure that has led the industry rankings for fourteen consecutive years.
The time dimension of breaches is as troubling as the cost dimension. The average breach in 2024 took 194 days to identify and an additional 64 days to contain — a total lifecycle of 277 days. In practice, this means attackers had nearly nine months of dwell time in the average compromised environment before containment. The longer a breach runs, the more damage compounds: IBM's data shows that breaches identified in under 200 days cost $1.02 million less than those that ran longer.
Verizon's 2024 Data Breach Investigations Report (DBIR) — drawing on 30,458 real-world security incidents and 10,626 confirmed breaches — reinforces what practitioners already know: the human element remains the dominant attack surface. 82% of breaches involved a human element, whether through phishing, use of stolen credentials, social engineering, or insider misuse. The DBIR also found that the median time for users to fall for phishing emails was less than 60 seconds — a number that makes user education alone an insufficient defence.
On the ransomware front, 2024 set a record that few anticipated: Dark Angels ransomware group received a $75 million ransom payment from a Fortune 50 company — the largest confirmed ransomware payment in history, reported by Zscaler ThreatLabz. Total ransomware payments in 2024 exceeded $1 billion for the second consecutive year (Chainalysis), even as law enforcement disrupted multiple major operations. And Cybersecurity Ventures projects global cybercrime costs will reach $10.5 trillion annually by 2025 — a figure that makes it, by economic scale, the third-largest economy on earth if it were a country.
The AI escalation dimension is new and moving fast. Google's Mandiant Threat Intelligence reported in mid-2024 that state-sponsored threat actors from China, Russia, Iran, and North Korea were actively experimenting with large language models to enhance phishing content, automate vulnerability scanning, and accelerate malware development. This is not a future risk — it is the present operating environment for enterprise security teams.
Why perimeter security is dead — and what replaced it
For three decades, the dominant mental model of enterprise security was the castle and moat: a hard, well-defended perimeter surrounding a trusted interior. Everything inside the network was assumed to be safe; everything outside was the threat. Firewalls, intrusion detection systems, and VPNs were the primary defensive tools — all built on the assumption that the perimeter was meaningful and enforceable.
That assumption collapsed somewhere between 2018 and 2022, under the combined pressure of four structural changes. Cloud migration moved critical workloads outside the traditional network boundary. Remote and hybrid work — accelerated dramatically by the pandemic — put employees and their devices in locations no perimeter could encompass. BYOD proliferation introduced unmanaged endpoints into corporate access flows at scale. And SaaS adoption distributed corporate data across dozens of third-party platforms, each with its own access model and security posture.
The result: there is no longer a meaningful perimeter to defend. The network boundary that once defined "inside" and "outside" now has thousands of gaps — cloud APIs, remote access points, third-party integrations, contractor credentials, personal devices — each of which represents a potential entry vector. A firewall protecting a boundary that no longer exists is not a security control; it is a comfort object.
Zero Trust Adoption: Where Organisations Stand
A 2024 Okta State of Zero Trust Security report found that 67% of organisations have a defined Zero Trust initiative in place, up from 24% in 2021. However, the same research found that fewer than 20% have achieved full implementation across identity, device, network, and application layers. The gap between Zero Trust adoption as a stated strategy and Zero Trust as an operational reality is where most organisations currently sit — and where attackers focus their effort.
The model that replaced perimeter security is Zero Trust — a framework formalised by NIST in Special Publication 800-207 (2020) and now the reference architecture for US federal agencies, major financial institutions, and security-mature enterprises globally. The core principle is explicit and unambiguous: never trust, always verify. No user, device, or network segment is trusted by default — not even within the corporate network. Every access request is authenticated, authorised, and continuously validated against policy.
Zero Trust is not a product. It is an architectural philosophy expressed through a set of specific controls: strong identity verification at every access point, device health validation before granting access, microsegmentation of network resources to limit lateral movement, least-privilege access enforced at the application layer, and continuous monitoring of session behaviour. The 2020–2024 period was the proving ground for Zero Trust at scale — and the organisations that implemented it seriously during that window are measurably better positioned against the attack vectors that define the 2025 threat landscape.
Microsegmentation deserves specific attention because it directly addresses the problem that makes breaches so expensive: lateral movement. Once an attacker breaches a perimeter-based network, they typically have broad access to move through the environment and escalate privileges. Microsegmentation divides the network into isolated segments with individually enforced access controls, so that a compromised endpoint in the finance VLAN cannot reach the engineering VLAN, the HR database, or the production environment. The blast radius of a breach is contained by architecture, not luck.
Identity is the new perimeter
If Zero Trust is the architectural framework, identity is its operational centre of gravity. When Verizon's DBIR reports that over 80% of attacks exploit identity weaknesses — stolen credentials, MFA bypass, privilege escalation, session hijacking — it is describing an attack surface that most organisations have not adequately hardened. The perimeter is gone; what remains is a collection of identities, each of which either grants or denies access to resources. Securing those identities is not an IT hygiene task — it is the primary security investment.
The identity attack surface is broader than most organisations recognise. It includes human identities (employees, contractors, partners), machine identities (service accounts, APIs, automated processes), and third-party identities (vendor access, integration credentials). CrowdStrike's 2024 Global Threat Report found that 75% of attacks to gain initial access in 2024 were malware-free — instead relying on valid credentials, remote management tools, and living-off-the-land techniques that blend into normal activity. You cannot block what you cannot distinguish from legitimate behaviour.
"The identity is the perimeter. Every stolen credential is a breach waiting to happen — and in most environments, stolen credentials go undetected for months because nobody is watching what valid users do, only whether they authenticated."
Identity and Access Management (IAM) architecture for a mature security posture encompasses several specific disciplines. Privileged Access Management (PAM) controls, monitors, and audits access for high-privilege accounts — the system administrators, database owners, and infrastructure operators whose credentials represent existential risk if compromised. PAM solutions enforce session recording, break-glass approval workflows for emergency access, and automatic credential rotation that ensures no standing high-privilege password survives long enough to be useful to an attacker.
Just-In-Time (JIT) access takes the principle further: instead of granting standing privileged access that exists whether or not it is being used, JIT provision access for the specific task, duration, and scope required — and revokes it automatically when the session ends. An attacker who compromises a service account with JIT access gets a credential that expires in hours. An attacker who compromises a service account with standing privileged access gets a credential that may be valid indefinitely.
Passwordless authentication — using FIDO2/WebAuthn standards, hardware security keys, or device-bound passkeys — eliminates the credential itself as an attack surface. You cannot phish a passkey. You cannot brute-force a hardware token. Microsoft's data shows that passwordless accounts are 99.9% less likely to be compromised than those using passwords alone. The technology is mature, the standards are stable, and the adoption barrier is primarily organisational inertia.
The risk of over-privileged service accounts and third-party access deserves emphasis because it is consistently underestimated. Many organisations have service accounts created years ago for integrations that no longer exist, carrying administrative privileges that were never scoped down after deployment. Third-party vendor access — granted for a specific project, never revoked — is a persistent source of lateral-movement opportunity. Identity governance programmes that continuously audit entitlements, remove orphaned accounts, and enforce access certification reviews are not optional in a mature security posture; they are foundational.
AI-powered attacks — and AI-powered defences
The integration of AI into the attacker toolkit is not a theoretical future state. It is the current operating environment, and it is changing the economics of attack in ways that security teams need to understand clearly. The barrier to mounting a sophisticated phishing campaign, automated vulnerability scan, or targeted social engineering attack has dropped significantly — because AI compresses the skill gap between expert attackers and opportunistic ones.
Deepfake social engineering is the most visible escalation. In 2024, a finance employee at a multinational firm transferred $25 million to fraudsters after a video call with what appeared to be the company's CFO and other senior executives — all AI-generated deepfakes (Hong Kong Police, February 2024). Audio deepfakes impersonating executives to authorise wire transfers, change payroll details, or approve vendor payments have moved from proof-of-concept to operational threat. AI-generated phishing produces emails that are grammatically flawless, contextually tailored, and stripped of the linguistic tells that traditional training teaches users to spot. Automated vulnerability scanning using AI allows threat actors to probe attack surfaces at a scale and speed that human researchers cannot match. And AI-assisted malware can adapt its behaviour dynamically to evade signature-based detection — making it invisible to security tools that are looking for known patterns.
The defensive response is AI applied to the same problem from the other side — and in several domains, defensive AI has meaningful advantages because defenders have access to data that attackers do not: the normal behavioural baseline of the environment being protected.
AI Threat Detection
Modern SIEM platforms with AI integration — Microsoft Sentinel, Splunk SIEM, IBM QRadar — ingest event data at a scale no human analyst can process and identify patterns that correlate across thousands of signals simultaneously. A human analyst reviewing logs might catch an anomaly in one system. An AI model correlating authentication events, network flows, endpoint telemetry, and cloud API calls catches the kill chain — not the individual event.
Behavioural Analytics
User and Entity Behaviour Analytics (UEBA) establishes a dynamic baseline of normal activity for every user, device, and service account in the environment. When behaviour deviates — a service account logging in from an unusual geography, a user downloading ten times their normal data volume, a privileged account accessing resources outside its normal scope — UEBA flags it for investigation. This is how you catch valid credentials being misused, which signature-based detection cannot do.
Automated Incident Response
SOAR (Security Orchestration, Automation, and Response) platforms use AI-driven playbooks to automate the first-response actions that previously required human intervention: isolating a compromised endpoint, revoking a suspicious session token, blocking a malicious IP across all firewall rules, notifying the relevant team with full context. The mean time to respond (MTTR) drops from hours to minutes — and the human analyst's time is freed for the judgement calls that genuinely require human cognition.
Threat Intelligence Automation
AI-powered threat intelligence platforms ingest indicators of compromise (IOCs), threat actor TTPs (tactics, techniques, and procedures), and vulnerability data from hundreds of sources — commercial feeds, government advisories, dark web monitoring, open-source intelligence — and automatically enrich alerts with context, prioritise vulnerabilities by actual exploitability in the specific environment, and surface the threats most relevant to the organisation's profile. The result is intelligence that is actionable, not voluminous.
The critical caveat on defensive AI is that it does not replace security architecture — it amplifies it. An AI-powered SIEM with no coherent logging strategy produces noise, not signal. UEBA with no baseline period produces false positives at a rate that destroys analyst trust in the tool. The AI layer is a force multiplier on a fundamentally sound security programme; it cannot substitute for one.
Before and after: reactive vs proactive security
The distinction between reactive and mature security postures is not a matter of budget or technical sophistication in isolation — it is a question of organisational orientation. Reactive organisations treat security as a response function. Mature organisations treat it as a risk management function that operates continuously, anticipates adversary behaviour, and is designed to detect and contain failures before they become catastrophes.
| Security Dimension | Reactive Posture | Mature Posture |
|---|---|---|
| Threat Detection | Signature-based detection; alerts triggered by known malware patterns; anomalies discovered during post-incident forensics or by accident | Behaviour-based UEBA and AI-powered SIEM; continuous correlation across endpoint, identity, network, and cloud telemetry; mean time to detect (MTTD) measured in hours, not months |
| Incident Response | Ad hoc response assembled after breach is confirmed; roles unclear; playbooks nonexistent or untested; containment reactive and slow | Documented IR plan with defined roles, runbooks for top threat scenarios, SOAR automation for initial containment, regular tabletop exercises and live simulations; MTTR measured in hours |
| Identity Management | Password-based authentication; standing privileged access; service accounts with excessive permissions; no regular entitlement review; third-party access ungoverned | MFA enforced universally; passwordless for high-value accounts; PAM for all privileged access; JIT provisioning; quarterly access certification; machine identity governance programme |
| Patch Management | Monthly or quarterly patch cycles; critical vulnerabilities remain unpatched for weeks; no prioritisation by exploitability; legacy systems excluded from patching | Risk-based patching with CVSS and EPSS scoring; critical/actively-exploited patches deployed within 24–72 hours; automated patch compliance reporting; legacy systems isolated with compensating controls |
| Third-Party Risk | Vendor security assessed at onboarding via questionnaire; no ongoing monitoring; supply chain exposure undocumented; contractor access ungoverned | Continuous third-party risk monitoring; vendor access limited to minimum necessary with automatic expiry; software supply chain controls (SBOMs, code signing); annual vendor security reviews for critical suppliers |
| Compliance Posture | Compliance-driven security theatre; controls implemented to pass audit; security posture measured by certification, not by resilience; compliance team siloed from security team | Compliance as a baseline, not a ceiling; continuous control monitoring via GRC platform; security team drives compliance programme; gap between audit evidence and actual security posture actively managed and minimised |
Building security that actually holds under pressure
The most damaging security failures in recent years — SolarWinds, Log4Shell, the MOVEit transfer exploitation — share a characteristic that should inform every security programme design conversation: they succeeded not because organisations lacked security tools, but because their security postures were not architected to withstand the specific threat vectors that were used. Compliance certifications were current. Firewalls were operational. Security teams existed. And yet the attacks succeeded.
The difference between compliance-driven security theatre and genuine resilience comes down to whether the security programme is designed around what an auditor needs to see or around what an attacker actually does. These are not the same design problem.
Threat modelling, not just vulnerability scanning
Vulnerability scanners find known weaknesses in known systems. They are necessary but radically insufficient. Threat modelling asks a different question: given what we know about the threat actors likely to target us, what are the most plausible attack paths through our environment, and do our controls actually break those paths? The MITRE ATT&CK framework — a structured taxonomy of adversary tactics, techniques, and procedures drawn from real-world intrusions — provides the reference model for this analysis. Security teams that map their controls against ATT&CK matrices for their most likely threat profiles find gaps that no vulnerability scanner would surface.
Red team and blue team: testing before attackers do
Penetration testing is a point-in-time assessment of a scoped environment. Red team exercises are something different: adversary simulations that test the full detection-and-response capability of the security programme, not just the hardness of individual systems. A red team that successfully exfiltrates data from a production environment without triggering a single alert is not delivering bad news — it is delivering information you needed before an actual adversary did the same thing. The organisations with the most resilient security postures red team regularly, treat the results as investment priorities, and measure improvement over successive engagements.
The incident response plan you test before you need it
IBM's Cost of a Data Breach data shows that organisations with an incident response plan that is both formed and regularly tested save an average of $1.49 million compared to organisations with no IR plan. Tabletop exercises — scenario-based walk-throughs of specific breach scenarios with the people who would actually respond — are not expensive to run and are genuinely predictive of response quality under pressure. The common failure mode is an IR plan that exists as a document but has never been executed: roles that are undefined in practice, escalation chains that break on the first call, forensic tools that are not deployed and tested before they are needed.
The human layer: security culture as a control
Given that 82% of breaches involve the human element, treating security awareness as a compliance training checkbox is a strategic error. Effective security culture programmes run phishing simulations regularly and use the results to identify high-risk users and target training. They make security feedback immediate — a user who clicks a simulated phishing link receives an in-context explanation of why the email was suspicious, not a generic training module three months later. And they measure security behaviour as a metric tracked by leadership, not a report filed with HR.
Security as a board-level issue
The organisations that handle breaches best are the ones where the board has visibility into security posture before an incident occurs — not just when they are being briefed on the forensics. SEC disclosure rules that took effect in late 2023 now require US public companies to disclose material cybersecurity incidents within four business days and to describe the board's oversight of cybersecurity risk. The regulatory signal is clear: security is a board governance matter, and boards that treat it as an IT operational concern will find themselves inadequately prepared when the question becomes material.
Our view
The 2025 threat landscape does not reward caution or ambiguity about security priorities. The cost of a breach, the dwell time of an undetected intrusion, and the sophistication of AI-assisted attacks have all increased to the point where a reactive, compliance-first security posture is not a conservative choice — it is a high-risk one. The organisations that have held up best against the past three years of escalating threat activity share a specific set of characteristics: they have replaced perimeter thinking with identity-first architecture, they have tested their incident response capability before they needed it, and they have treated security as a risk management function owned at the executive level, not an IT cost centre managed below it.
The practical implication is that security investment decisions need to be made in the right sequence. Buying a market-leading SIEM before establishing a coherent logging strategy produces alert noise, not threat detection. Deploying Zero Trust network access before hardening the identity layer creates a sophisticated architecture with a weak foundation. The organisations we see achieving genuine security maturity work from fundamentals outward: clean identity governance first, then Zero Trust access controls, then AI-powered detection and response, then continuous testing. Each layer amplifies the one beneath it — and a gap in any layer undermines everything above it.
The $4.88 million question is not really about the average breach cost. It is about whether your organisation's security posture was designed for the threat environment you are actually in — one where attackers are patient, AI-enabled, and targeting identity rather than perimeter; one where detection and response speed matters as much as prevention; and one where the human element remains the highest-probability attack vector regardless of how much is spent on technology. The organisations that answer that question honestly, and build their security programmes around the answer, are the ones that do not become the next case study.
Key Takeaways from This Report
- The average data breach cost $4.88 million in 2024 and took 277 days to contain — the worst figures in IBM's 19-year benchmarking history, with healthcare averaging $9.77 million per incident
- 82% of breaches involve the human element (Verizon DBIR 2024) — phishing, stolen credentials, and social engineering remain the dominant attack vectors regardless of perimeter investment
- The network perimeter is gone: cloud, remote work, BYOD, and SaaS proliferation have dissolved the boundary that traditional firewall-based security was designed to protect
- Zero Trust — never trust, always verify — is the reference architecture for mature security postures; 67% of organisations have a defined initiative, but fewer than 20% have achieved full implementation
- Identity is the primary attack surface: 75% of initial access attempts in 2024 were malware-free, exploiting valid credentials rather than vulnerabilities (CrowdStrike Global Threat Report 2024)
- AI-powered attacks — deepfake social engineering, AI-generated phishing, automated vulnerability scanning — have lowered the attacker skill barrier and require AI-powered defensive responses including UEBA, SOAR, and threat intelligence automation
- Organisations with a tested incident response plan save an average of $1.49 million per breach compared to those without one — the IR plan that exists only as a document provides no measurable benefit under pressure