The Director's Cut: Lessons learned from analyzing over 12,000 breaches

The Headline: Insights from 12,000 Data Breaches

Findings from the newly released annual Verizon Data Breach Investigations Report based on analysis of over 12,000 breaches across 139 countries should be of interest to directors overseeing cyber risk.

Most notable: third-party involvement in breaches doubled to 30% over the previous year, making vendor and supply chain governance a board-critical issue. This surge exposes the enterprise-wide consequences of insufficient due diligence in partner selection and ongoing oversight. Risk management frameworks must extend beyond internal operations to include external digital ecosystems that extend to suppliers, vendors, hosting providers, and outsourced IT support.

One in five breaches now results from vulnerabilities in internet-facing devices, such as a firewall or VPN, and the research shows the median remediation time for vulnerabilities is 32 days, leaving organizations significantly exposed. These delays highlight a critical gap that underscores the need for structural solutions rather than reactive fixes. Transitioning to a zero trust architecture not only reduces dependence on legacy perimeter hardware, but also significantly simplifies networks and shrinks the organization’s attack surface. 

Unsurprisingly, ransomware continues to infect businesses with smaller businesses being disproportionately affected, playing a part in 88% of small business breaches. The median ransom payment dropped to $115,000, but could be much larger: Zscaler identified a $75 million payment in 2024. Given the high likelihood of ransomware attacks, boards must evaluate incident response preparedness (more below) and question whether their organizations’ current architectures and security solutions will prevent such disruption.

Though hacking techniques constantly evolve, the vast majority can be mitigated with modern architectures and effective threat management.   

Key Questions for the Board to Ask Management:

1. How are we assessing, monitoring, and holding third parties accountable for their cybersecurity practices—particularly those with access to our systems or sensitive data?
2. What is our roadmap for implementing a zero trust architecture, and how will it reduce our exposure to vulnerabilities in internet-facing infrastructure?
3. What specific lessons have we drawn from past cyber incidents—either within our organization or among peers—and what concrete changes have we made to prevent recurrence?

On the Radar:

How are we ensuring accountability and avoiding overconfidence bias within our cybersecurity leadership?

The results of a new study published in the MIT Sloan Management Review, challenge the assumption that increasing headcount in cybersecurity leadership structures inherently improves cyber risk mitigation. Instead, researchers found larger, more complex hierarchies can foster overconfidence, dilute accountability, and impair responsiveness. 

This "illusory superiority"—where leaders overestimate their preparedness relative to peers—can mask real vulnerabilities, particularly with severe threats like ransomware. Further, adding layers of senior management can obscure responsibility and suppress valuable technical input from lower-level experts, according to the report. 

Directors should adopt a mindset of ‘never trust, always verify’ by asking how exactly the business is prepared to counter serious threats and lean on anonymous benchmarking with peers where possible to counter any management overconfidence. 

Is your organization’s HR team looking for deepfake candidates?

Recent reports of North Korean cybercriminals using real time deepfake technology to apply for remote jobs at U.S. companies are a cause for concern, as companies including cybersecurity firm KnowBe4 found out. Once hired, these threat actors can extract proprietary information, install malware, redirect funds, or at the very minimum, claim a salary and not deliver any value. 

As deepfake technology improves, organizations must employ a multi-layered approach combining technical verification methods with human intuition to protect their systems and information. Tips for identifying fake candidates include:

• Request actions that challenge AI limitations (hand-face interactions, rapid head movements)
• Watch for visual inconsistencies in facial boundaries, lighting and audio-visual sync
• Implement robust identity verification protocols
• Analyze technical indicators like IP locations and platform preferences

Is the board conducting regular audits of data protection and breach notification readiness?

According to research published in Infosecurity Magazine, U.S. companies paid $155 million in class action settlements tied to data breaches in just six months. The analysis identified 43 new filings and 73 settlements, with inadequate security practices driving 50% of lawsuits and a staggering 97% of settlement costs. Breaches linked to unencrypted data and delayed notifications also triggered legal action, though less frequently. Average settlements hovered around $3 million, with some reaching as high as $21 million.

For corporate directors, this trend underscores the growing financial and reputational risks of failing to meet basic cybersecurity expectations. Courts increasingly view security lapses not as inevitable, but as governance failures. This raises the question of whether, in the event of a breach, the business could adequately demonstrate that the company exercised due diligence and fulfilled its duty of care.

***

Zscaler is a proud partner of NACD’s Northern California and Research Triangle chapters. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email Rob Sloan (rsloan[@]zscaler.com), VP Cybersecurity Advocacy at Zscaler, to learn more.