Most Breaches Happen Because the Basics Fail

Written By Carrie Gluck

There’s a persistent myth in cybersecurity that breaches are the result of highly sophisticated, nation-state-level attacks exploiting zero-day vulnerabilities. While those scenarios do exist, they are not the norm. The uncomfortable reality is much simpler: most breaches occur because organizations fail at the fundamentals. Weak controls, inconsistent processes, and a lack of operational discipline create the conditions attackers rely on every day.

The Real Root Cause: Control Breakdown, Not Advanced Threats

Across industries, the same patterns repeat:

  • Unpatched systems leave known vulnerabilities exposed for months

  • Weak or reused passwords make credential stuffing trivial

  • Lack of MFA turns a compromised password into full access

  • Overprovisioned access allows lateral movement without resistance

  • Phishing susceptibility opens the front door without force

  • Missing logging and monitoring delays detection until it’s too late

None of these are novel attack vectors. They are failures in execution—gaps between what organizations know they should be doing and what is actually happening in practice.

Attackers don’t need to be innovative if defenders are inconsistent.

Why Fundamentals Break Down

If the controls are well understood, why do they fail so often? The issue isn’t awareness—it’s operational maturity.

  1. Security is treated as a project, not a program
    Controls get implemented once but aren’t maintained, tested, or measured over time.

  2. Compliance replaces security thinking
    Organizations focus on passing audits rather than building resilient systems. A control that exists on paper but isn’t operationalized is effectively nonexistent.

  3. Lack of ownership
    No clear accountability for identity, patching, or monitoring leads to fragmented execution.

  4. Tool sprawl without process discipline
    Buying more tools doesn’t solve foundational gaps. Without governance, tools create noise—not protection.

  5. Business velocity outpaces security controls
    Rapid growth, cloud adoption, and new integrations introduce risk faster than controls are implemented.

What “Good Fundamentals” Actually Look Like

Strong security fundamentals are not flashy—but they are highly effective when executed consistently:

  • Identity-first security

    • Enforce MFA everywhere (especially for privileged access)

    • Implement least privilege and regularly review access

    • Eliminate shared and orphaned accounts

  • Patch and vulnerability management discipline

    • Prioritize based on risk, not volume

    • Establish SLAs and track remediation performance

    • Continuously scan and validate

  • Email and phishing resilience

    • User training tied to real-world simulations

    • Technical controls (filtering, DMARC, sandboxing)

    • Rapid reporting and response workflows

  • Endpoint and infrastructure hygiene

    • Standardized configurations (secure baselines)

    • EDR/XDR with active monitoring

    • Asset inventory that is actually accurate

  • Logging, monitoring, and response

    • Centralized logging with defined use cases

    • Alert tuning to reduce noise and increase signal

    • Tested incident response plans—not shelfware

The Difference Between “Implemented” and “Effective”

One of the most common gaps I see is the assumption that because a control exists, it is working. In reality, there’s a significant difference between:

  • Configured vs. enforced

  • Deployed vs. monitored

  • Documented vs. operational

For example:

  • MFA enabled for 80% of users is not “MFA implemented”

  • A patching policy without metrics is not “vulnerability management”

  • Logging without review is not “monitoring”

Effectiveness requires measurement, validation, and continuous improvement.

A Risk-Based Approach to Fundamentals

Organizations don’t need to do everything at once—but they do need to do the right things well. A risk-based approach prioritizes:

  1. High-impact controls first (identity, access, patching)

  2. Consistency over complexity

  3. Visibility before optimization

  4. Operational metrics, not just policies

When fundamentals are strong, the attack surface shrinks dramatically—and more advanced controls actually become meaningful.

Final Thought

Cybersecurity doesn’t fail because organizations lack awareness of best practices. It fails because the basics aren’t executed with rigor and consistency.

Before investing in the next tool, framework, or initiative, ask a simpler question:

Are we doing the fundamentals—really well, every day?

Because that’s where most breaches begin—and where most can be stopped.

Carrie Gluck
Previous

Do You Have Executive-Level Security Leadership?
Next

Risk-Based Security vs. Checkbox Compliance: Why the Difference Matters