Do the costliest breaches share a common precursor?

We've previously written about the most costly data breaches of all time, but is there a shared commonality that businesses can learn from? Analysis of the most expensive cyber breaches of the past decade reveals a consistent pattern. The financial impact is significant, but the more instructive insight lies in the organisational behaviour that preceded the incidents. The breaches were not typically the result of a single catastrophic oversight. They seem to have been preceded by extended periods of drift.

Drift manifests as delayed patching, exceptions granted for convenience, legacy systems awaiting replacement, and security concerns raised but not prioritised. Over time, these small deviations accumulate into structural vulnerability. Drift is rarely intentional. It emerges from competing priorities, resource constraints, and the natural tendency of organisations to defer complex tasks.

The U.S. House Oversight Committee’s report on the Equifax breach referenced a “culture of complacency,” a description that aligns with the concept of drift. In that case, a critical vulnerability remained unpatched for months due to breakdowns in communication, ownership, and process adherence. The breach was the spark, but the drift was the fuel.

The Marriott breach illustrates a different form of drift: inherited risk. The compromised system originated from an acquired company, and the integration process did not fully address the security weaknesses. This form of drift is common in organisations with complex acquisition histories.

The Target breach highlighted operational drift. Alerts were generated by security tools but not acted upon due to alert fatigue and process gaps. The technology functioned as intended, but the organisational response did not.

Mapping areas where drift has replaced discipline can be revealing. Identity governance, third‑party risk, and legacy infrastructure are common points of accumulation. Drift often becomes visible only when an incident forces retrospective analysis.

Organisations that manage drift effectively tend to implement continuous assurance mechanisms. These include automated policy enforcement, regular control validation, and governance structures that elevate security exceptions to senior leadership. They also invest in reducing complexity, as complex environments are more prone to drift.

The central question is where drift has quietly embedded itself within the organisation, and what the financial impact would be if it were exposed during a major incident.