Assume breach: what it means and why digital resilience is critical

What is assume breach?

Assume breach is a principle within modern cybersecurity whereby organisations assume that a digital attack will eventually be successful. Not because security controls are inadequate, but because no digital environment is entirely risk free.

The principle shifts the focus from prevention alone to the question of:

• how quickly an attack is detected,
• how large the impact may be,
• and how predictable recovery is.

Assume breach is therefore not a technical measure, but a board-level and strategic mindset.

How do ransomware attacks gain access?

The Ransomware Landscape shows that not only the number of incidents matters, but above all the way in which attackers gain access.

Most common attack vectors

In more than half of ransomware incidents, initial access was obtained through:

• account takeover (often via phishing),
• infostealers,
• man-in-the-middle attacks.

In addition, exploitation of vulnerabilities in publicly accessible systems remains an important entry point. These attack vectors demonstrate that technical measures alone are not sufficient.

Why recovery capability often falls short

Digital disruption does not end with detection. In practice, recovery capability proves to be a particular weakness.

• 43% of affected organisations needed more than three days to recover
• 15% recovered only after a week or later

This is despite the fact that a large proportion of these organisations had backups in place. The question is therefore justified: can your organisation absorb several days of downtime without severe consequences for operations, customers and reputation? For many organisations, the honest answer is no.

From prevention to managing disruption

The assume breach mindset aligns with this reality. Digital attacks cannot be fully prevented. There is no 100% certainty, regardless of the level of investment in security measures.

It is important to understand what assume breach does not mean:

• prevention is not abandoned,
• risks are not downplayed,
• and control is not relinquished.

What it does mean is that organisations accept disruption as a realistic scenario and prepare accordingly.

Increasing impact: double extortion

The urgency of assume breach is further reinforced by the rise of double extortion. In these cases, data is not only encrypted, but also exfiltrated.

Threats to publish or sell sensitive information place immediate pressure on:

• reputation,
• legal obligations,
• and business continuity.

Cybersecurity therefore affects not only IT, but also governance and risk management.