惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

WeLiveSecurity

Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Cybercriminals: the 'auditors' you never hired
Steven Connolly · 2026-06-09 · via WeLiveSecurity

There’s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It’s known as the normalcy bias – what Dr. Lauren Braithwaite defines as “our tendency to underestimate the possibility of disaster and believe that life will continue as normal, even in the face of significant threats or crises.” It's why people hesitate after fire alarms go off or delay reacting in other unfolding situations because things still appear manageable.

As this bias can lead us to mistake familiarity for safety and assumptions for evidence, it’s increasingly getting in the way of dealing with the cybersecurity reality. It causes people to underestimate the likelihood of a cyberattack or to interpret an absence of obvious problems or consequences as evidence that risks are under control. In practice, many organisations treat a lack of clear alerts from their chosen protection platform(s) as proof that everything is hunky-dory. Others fail to act quickly enough on warning signs because they assume that business will simply continue as usual.

Meanwhile, despite a steady drumbeat of news headlines on breaches at organisations like M&S, JLR, and Co-op (and most breaches never actually make it to the front pages), and advice from the cybersecurity industry and government organisations about how to avoid becoming the next victim, the number of major incidents continues to rise at an eye-watering rate.

The NCSC Annual Review 2025 reported 204 "nationally significant" cyberattacks in the 12 months to August 2025, a 130% increase from the 89 reported in the previous year. Of 429 total incidents, 18 were classified as "highly significant," marking a 50% increase in severe incidents. Breach rates remain stubbornly high, which may reflect a creeping normalisation of breach risk and be seen as normalcy bias at scale: the more common breach disclosures become, the less urgency each one may carry.

Lessons learnt?

There’s a phrase that is peddled out by governments and companies alike when a catastrophe of any type – including a cybersecurity breach – occurs: “Lessons have been learnt”.

But have they? The 130% increase in significant incidents between 2024 and 2025 severely challenges this assertion and points to lessons not being learnt, at a macro level. Seems like a big no!

Last year I wrote a blog post that may, in part, explain the psychological state after a breach. I argued that many companies are, in a sense, both breached and not breached, simultaneously, and I likened this situation to Schrödinger’s cat. Until you open the box by interrogating logs or actively searching for a compromise, the comfort of “we haven’t been breached” merely reflects the fact that no-one has actually checked. In fact, this reluctance to look could also be normalcy bias quietly doing its work.

“Lessons have been learnt” is the aftermath of opening the box, finding the cat to be (unfortunately) deceased, and then declaring: “we know what’s happened, we’ve got a handle on this, don’t worry”. This is narrative, not evidence of a meaningful change in approach.

By contrast, real learning is a proactive process that changes how organisations need to behave. This should be reflected in changes to budgets, policies, rules, recovery planning, supplier scrutiny, logging, monitoring, training, and the tolerance for error, to name just a few things. And all done before the inevitable breach takes place. It’s much more difficult to hit a moving target, after all.

So, if we can accept that normalcy bias is a common and human cognitive condition, we can progress towards avoiding complacency before a breach and minimise its impact. ‘To err is human’, but now we know what the failing is, we have an imperative to act upon that knowledge – and do things differently.

Endgame: what if we still don’t recognise this bias?

The criminal ‘auditors’ are banking on human error. After all, it’s why phishing is still one of the most prevalent ways that breaches occur.

There are two main ways in which the endgame plays out in cybersecurity.

Either we regularly audit ourselves – run penetration testing, red/blue/purple team and other attack simulation exercises, regularly re-evaluate the threat landscape, and invest in our security provision as part of our cyber resilience strategy.

Or we allow cybercriminals to do the ‘audit’ for us. They rely on a false sense of security (literally), and this is the chink in the armour they exploit.

Criminals ‘auditing’ you can be brutal, costly, devastating and, in many cases, terminal for organisations. That is why this metaphor matters – cybercriminals discover the gap between what an organisation believes about its security and what the reality is.

To put things into perspective, ESET’s threat intelligence processes 750,000 suspicious samples, analyses 2.5 billion URLs while blocking 500,000 of them – every day. Threat actors are relentless, and as their attacks become more and more sophisticated, we have to ditch any thought that we are impervious. We must accept that normalcy bias exists and act upon it.

In the face of a number of high-profile retail breaches in the UK, ESET conducted research with 2,000 consumers. The resulting report revealed, amongst other things, that 46% of shoppers said it would take them 5+ months to rebuild trust after a data breach. That’s an expensive audit! One needs to do the simple math to estimate the direct financial damage if that’s all the senior management are interested in. All on its own this should suffice despite the fact this is often the tip of a very painful iceberg.

The bottom line

An aspect of normalcy bias that I find most intriguing is that, despite the increased sophistication, speed, volume and variety of attack vectors we are all aware of, our approach to cyber resilience strategies often remains rooted in the past – even if it is relatively recent past. But time passes quickly in cybersecurity, and in the 4 or 5 minutes it’s taken you to read this article, ESET will have processed over 2,000 suspicious samples and scanned approx. 7 million URLs blocking approx.1,500 of them.

When asking why we should review cybersecurity services provision, are we accounting for all parameters that have changed (globally as well as locally) in the last few years and how it could affect our current security posture?

Right off the top of your head, you could probably name at least a few of these:

  • Rise of AI-enabled fraud and other threats.
  • The war in Ukraine.
  • Iran.
  • Increase in cost of cybercrime worldwide.
  • Deepfakes.
  • Increased social engineering attacks.
  • Persistence of phishing as the main attack vector.
  • Increased complexity of cybersecurity solutions and services.
  • Cyber skills gaps remaining worryingly wide.

There are many others, no doubt. And it’s no coincidence that the level of protection offered by vendors only a few short years ago is being phased out, and MDR/XDR/MXDR services and solutions are becoming the norm.

The criminal ‘auditors’ certainly haven’t sat back on their laurels in that time. Whilst the use of new tools, like AI, doesn’t necessarily mean better coding, it does enable them to scale attacks massively – and it allows them to scan for vulnerabilities at an unprecedented pace.

  • If you aren’t investing in auditing, testing, cyber awareness, and prevention technologies, you’re not saving money – you’re simply outsourcing assurance to the criminals.
  • The most engaged C-suite are with cybersecurity is immediately after a costly breach – after normalcy is shattered. Make them engage earlier.
  • Criminals work 24 hours a day, round the clock with agentic AI by their side. Are your solutions resilient enough to cope? Check.
  • Whatever the size of your organisation, you need to look at your cyber profile and resilience constantly.
  • Don’t mistake (incident) silence for safety – invest in 24/7 MDR/MXDR services.
  • Now you know about the ‘normalcy bias’ trap – avoid it.