SECTION 1

Foundational

failures

The weakest links in enterprise security

How control gaps lead to breaches

Zoom in on any breach this year, and the same pattern emerges. Not clever tactics or new malware, but the simple things: missed patches, mishandling of data, and unrestricted privileged access. All gaps that the right controls should have stopped, but were left untracked or untested.

A striking 84% of surveyed organizations experienced such incidents in the twelve months to September 2025.

Biggest control failures leading to breaches in 2025

Read more insight

Strong controls and cyber hygiene are still the frontline defense. AI isn't re-writing the playbook.

Why are control failures so common?

Many have touted the importance of good cyber hygiene over the years – catching issues early is far better than picking up the pieces later. So why do control failures keep leading to breaches, even when CISOs agree that being proactive is the goal?

The hard truth is this: Most teams simply don’t have the tools, resources, or time to monitor all controls effectively and minimise the gaps that are leading to breaches.

Just 25% of security leaders test their controls performance at least once a week. For everyone else, it’s monthly at best, and most worryingly, 5% of organizations are only testing the efficacy of their controls once a year. It’s why just one third (33%) of leaders feel fully confident their business could stand up to a targeted cyberattack.

Most teams are stuck with manual, hands-on testing. But over three-quarters (77%) of CISOs openly say this manual model of controls assurance is not fit for today’s threat landscape, with 8 out of 10 (77%) of CISOs stating that moving to a continuous, automated controls assurance approach will be a top priority for the year ahead.

How often do you test if security controls are working and effective?

19 times per year

Average number of controls performance tests per enterprise

Compound risk: the growth of multiple toxic control failures

In 2026, accurate controls assurance is no longer just about individual controls.

In a world where attacks are quicker and more sophisticated than ever, it’s not just single points of failure that are a cause for concern, but the chain reaction when several controls fail at once. In 2025, three-quarters (75%) of organizations hit by a breach weren’t just undone by a single control gap - they were the result of two or more control failures happening together.

72% of cybersecurity leaders believe AI increases the risk and likelihood of these toxic combinations. AI brings benefits, but it also creates new ways for control failures to line up in damaging ways. This is echoed in confidence levels. Only 29% of CISOs say they feel completely ready to withstand a complex attack that targets AI systems, identity, and third-party service partners all at once.

The financial fallout of control failures

The average cost of responding and recovering to a cyber event in 2025 was $14 million, with almost 10% of enterprise organizations facing a financial fallout of $100 million or more.

For even the biggest organizations, breaches are all-consuming. On average, it equates to the equivalent of almost three-quarters (73%) of their yearly cybersecurity budget. And for cyber teams at medium-sized enterprises, the cost of recovery is almost outpacing their entire cybersecurity spend across the year.

But it’s not just the financial fallout that’s impacting cyber teams. Control failures remaining a key cause of breaches is leading to a growing loss of confidence amongst leaders – a sense of “we thought we had this covered.” It’s why 65% of CISOs state they want a single source of truth on controls coverage and effectiveness to help them sleep at night.

Total financial impact of cybersecurity breaches or incidents last year

MAIN TAKEAWAY

Attackers are taking advantage of multiple control failures

Attackers regularly outmaneuver current protective measures and controls. Security controls that should prevent breaches are repeatedly failing, costing organizations millions and undermining confidence in the basics of cyber hygiene.

How are CISOs responding in 2026?

Despite many cybersecurity teams having some controls assurance program in place, manual control checks are no longer viable.

Instead, almost all CISOs and their teams are prioritizing automation, moving away from point-in-time testing and towards Continuous Controls Monitoring (CCM). By leveraging continuous monitoring technology, teams can turn blind spots into measurable, actionable insights for improvement.

The challenge in 2026 is making sure automated assurance programs can analyse data from across cybersecurity domains and surface toxic combinations before attackers strike.

© 2025 Panaseer Limited. Reg in England and Wales with the company registration 09098199 Reg address: Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ UK.