Research has shown that cognitive biases significantly affect strategic decision-making and organisational operational practices. Many fail to validate their cybersecurity implementations, resulting in major breaches. This article examines past “black swan events” involving security-certified companies that encountered issues due to their failure to act on known vulnerabilities. Using the Knowing-Doing Gap theory from Stanford Professors Pfeffer and Sutton[i], it explores lessons from these incidents and actions to be taken.
“The wise man learns from the mistakes of others.” – Otto von Bismarck
Hackers often take advantage of unpatched systems, configuration mistakes, and poorly enforced policies. This article highlights the vulnerabilities that arise from infrequent validation or verifications of controls. It discusses how attackers target outdated or misconfigured “secure” systems, showcases real breaches resulting from these oversights, and explores how weak policy enforcement and policy validation lead to breaches and data theft. Based on some real cases, we present mitigation strategies to help close these gaps.
Hidden Vulnerabilities Without Regular Testing
When companies don’t perform periodic technical security validations (such as configuration validations, vulnerability scans or penetration tests), numerous issues can remain unseen and unresolved[ii]. Many standard security weaknesses persist simply because organisations aren’t looking for them proactively. In fact, not all organisations conduct regular offensive assessments, so they may not even be aware of serious vulnerabilities in their environment.
Some examples of vulnerabilities that often remain open or hidden without regular validation include:
– Unpatched Software: Known software vulnerabilities (e.g. missing security patches in operating systems, applications, or frameworks) can go unfixed for long periods. Attackers routinely scan for such outdated systems. For instance, the massive Equifax[iii] breach in 2017 occurred because a critical web server patch had not been applied for months. The final settlement in this case rose in July 2024 to 545 million in USD.
– Configuration Errors: Misconfigurations in security devices or cloud services (like overly permissive firewall rules, open S3 buckets, or disabled security settings) frequently slip by if not periodically audited. These misconfigurations can act as backdoors for intruders.
– Weak or Default Credentials: Accounts with default passwords or weak logins (that should have been changed) may remain in use. Regular testing often uncovers these easily guessable credentials before attackers do.
– Excessive Privileges: Without periodic review, former employees’ accounts or unnecessary admin privileges might still exist. If not identified and removed, these provide easy targets for attackers.
– Outdated Security Tools: Even security technologies can become outdated or mistuned. For example, an intrusion detection system that isn’t tested might miss modern attack techniques, leaving a blind spot.
Organizations typically need such tests to get insights into these “silent risks” on hidden vulnerabilities, and those who skip regular testing often miss problems until it is too late and they face significant consequences.
Attackers Exploiting Outdated & Misconfigured Systems
Without periodic validation on “Silent Risks”, companies may assume systems are secure when they are not, which is precisely what attackers hope for. Cybercriminals actively hunt for systems that have fallen behind on updates or were never appropriately configured. These “outdated”, “default implemented” or “misconfigured” assets present soft targets that can be breached using known tactics.
But why don’t we learn from past events for decades? What are some examples we can learn from what we should “know doing” and how can we enforce ourselves by starting “doing”.
One classic example is misconfigurations that persist due to lack of validation. A notable case is the Capital One 2019 cloud breach. The attacker (a former AWS employee) found a misconfigured web application firewall in Capital One’s AWS environment, which allowed an unconventional attack (SSRF – Server Side Request Forgery) to succeed. This, combined with overly broad AWS identity permissions, let the hacker obtain credentials and copy data from dozens of storage buckets. A lack of least-privilege configuration meant an AWS role had far more access than needed, enabling the theft of ~100 million customer records. Had the cloud firewall and access policies been periodically validated, these weaknesses might have been caught before the breach.
Hackers often don’t need novel exploits – they capitalize on whatever was missed due to infrequent testing. Common attack patterns include:
– Scanning for Exposed Ports/Services: If an organisation opens a new server or cloud instance and never properly locks it down, attackers using automated scanners will discover open ports or services. A forgotten open remote desktop port or database can become the entry point for ransomware or data theft.
– Exploiting Known Common Vulnerabilities and Exposures (CVEs): Threat actors monitor known critical vulnerabilities. When companies don’t regularly apply patches or firmware updates, attackers use ready-made exploits (often freely available) to breach unpatched systems. The “unpatched Apache Struts” in Equifax and the unpatched Windows servers hit by WannaCry ransomware, which leveraged the leaked EternalBlue exploit, are examples.
– Abusing Default or Weak Settings: Systems installed with default credentials or settings (and never hardened) are low-hanging fruit. For instance, many past breaches involved attackers logging in with manufacturer default passwords on network gear or finding an admin interface left publicly accessible due to a setup mistake. Regular technical validation (through configuration reviews and simulated attacks) would likely catch these conditions. Without it, however, attackers operate with an edge – they often know your weaknesses before you do. This dynamic may leads directly to breaches.
Breaches Stemming from Lack of Testing or Enforcement
History provides several case studies of major breaches where boards and managers were involved in policy making and signed off on ISO or sometimes SOC2 Assurance statements but were still exposed or penalised by regulators due to lack of Knowing-Doing Gap. Since 2018 most GDPR fines where given on lack of technical measurements and the validations[iv]. That is traced back to insufficient security testing or lax enforcement of policies. Below are a few examples illustrating how the absence of periodic validation can lead to incidents.
– Marriott/Starwood (2014–2018): Marriott acquired the Starwood hotel chain but did not thoroughly security-test or integrate Starwood’s reservation system into Marriott’s secure environment. The result was, that attackers had backdoor access to Starwood’s database for four years without detection. The Starwood system operated with outdated security controls, and no one at Marriott performed a deep technical assessment post-acquisition. Marriott’s cybersecurity team “did not find it necessary to test the new software,” which allowed the intruders to remain unnoticed from 2014 to 2018. This breach exposed the personal and passport data of roughly 500 million guests. It shows that complacency and lack of periodic testing, especially after significant IT changes (like mergers), can let attackers hide for years. This case is not unique since we have seen more cases in recent years that fell victim to the same negligence.
– Target (2013): Retail giant Target was hacked via a third-party HVAC vendor’s credentials. While Target had security tools, they had not enforced strict network segmentation between external vendor access and internal systems. Attackers phished the vendor, stole credentials, and then moved laterally into Target’s network until they reached the point-of-sale systems. They installed malware to collect 40 million customers’ credit card details there. The breach cost Target tens of millions and a significant drop in profits. It highlights that security policy enforcement (vendor access controls, network segmentation) was insufficient, and periodic third-party security testing was needed. This case is not unique since we have seen more cases in recent years that fell victim to the same negligence and bad network designs, even in recent years. In 2021, S. Kably investigated security misconfigurations as the root cause of data breaches and found a significant amount of high-profile cases with this root cause.[v]
– Adobe (2013): In a sophisticated attack, hackers sent phishing emails to Adobe employees and installed malware on their PCs. Because Adobe’s internal network lacked specific containment controls, the attackers could exfiltrate customer data (including names, encrypted passwords, and credit card info) from inside the network. They even stole source code for Adobe products. This breach demonstrates that without vigorous internal enforcement (like egress restrictions, monitoring, and the principle of least privilege on data stores), attackers who get in can spread and steal broadly. Regular internal penetration tests could have revealed how malware might propagate and identified weaknesses in Adobe’s internal segmentation and access limits.
These cases (and many others) reinforce a common theme: When organizations assume their technology is secure without validating, attackers will prove them wrong. These breaches could have been mitigated by more frequent validation and stricter enforcement of security best practices.
Paper based reality: Knowing Doing Gap Consequences
Even if an initial breach occurs (for example, via a phishing email or stolen credential), robust internal security policies can contain the damage. However, if those policies exist only on paper and aren’t enforced with technical controls, attackers can roam freely inside a network – a phase known as lateral movement. Four key policies are; the Pinciple of Board Ownership, the Principle of Least Privilege, Continuous Policy Validation, and Network Segmentation. Failing to enforce these turns an isolated incursion into a full-blown breach.
– The Principle of Board Ownership: With new executive orders and regulatory directives such as NIS2 and DORA, digital security and assurance have become critical responsibilities for boards. Boards must take accountability and demonstrate strong leadership by setting a good example. This includes asking questions and supporting managers and operations to ensure they have sufficient resources—such as time, money, and personnel—to conduct technical validations and learn from incidents.
In my experience, conducting lessons-learned sessions and writing root cause analyses can be time-consuming and may not directly contribute to the firm’s bottom line. However, creating a culture that celebrates transparency and encourages reporting issues must begin at the top.
– Lack of Least Privilege: The principle of least privilege (PoLP) requires that users and systems have only the minimum necessary access rights. This should start at the organisational level and be rigorously applied throughout all systems. Without enforcement, excessive permissions can accumulate, making it easier for attackers to exploit compromised accounts. The 2020 SolarWinds Orion hack illustrates this risk, as malware within Orion had broad access to customer networks due to high-level privileges and lack of PoLP constraints. This allowed attackers to move undetected across systems. Similarly, the Capital One breach resulted from an overly powerful cloud IAM role, enabling hackers to access vast amounts of data. In essence, excessive privileges lead to larger breaches. Many organisations still overlook this practice due to a lack of board buy-in, limited knowledge, or time, despite recognising the importance of doing it.
– Lack of Segmentation: Proper network segmentation involves dividing networks into logical zones (e.g., separating SWIFT clearance in banks from Operational Technology or IoT data from payment data) and tightly controlling traffic between them. An attacker can easily move across the network without segmentation, making it simpler to spread malware or access sensitive information. For example, in the Target breach, attackers exploited a lack of segmentation to access payment card systems from a vendor’s HVAC system. Similarly, the WannaCry ransomware spread rapidly across unsegmented networks. Effective segmentation would slow down attackers by requiring them to breach multiple barriers. However, many organisations still neglect this practice due to limited resources, knowledge, or time, despite knowing its importance. This requires action from both security professionals to step up their capabilities and expertise and where to spend their “buck” wisely[vi].
– Inadequate Access Controls & Monitoring: Access control policies, such as restricting account logins and using multi-factor authentication, are often unenforced, creating overly trusting environments for attackers. If administrative shares or management interfaces aren’t secured, attackers can exploit weak points using default credentials or pass-the-hash techniques to move between servers. Additionally, unmonitored outbound connections allow for unchecked data exfiltration, as seen in the Adobe breach, highlighting a lack of egress controls or data loss prevention tools. Insufficient monitoring fails to raise alarms during attackers’ movements and data transfers, yet many organisations neglect these practices due to resource, knowledge, or time constraints.
In summary, failing to enforce security policies technically magnifies the impact of breaches[vii]. A single-point break-in can escalate into a complete compromise of many systems and massive data exfiltration. As one post-mortem noted, clear: policies must be implemented in systems and continuously verified, not just written in an IT handbook.[viii]
Mitigation Strategies to Close The Knowing-Doing Gaps
1. Continuously Validate Your Defensive Posture
Move beyond one-off compliance audits. Proactively scan for known flaws, frequently patch, and use breach-and-attack simulations to identify gaps before adversaries do. This ensures that what you know about potential threats translates into doing something about them regularly.
2. Enforce Security Policies as Code
Translate written policies (e.g., Zero Trust, least privilege, configurations, traffic inspection, MFA) into technical controls and automated checks. Systematically implement segmentation, restrict excessive privileges, and continuously monitor and respond to anomalies. This bridges the gap between knowing your policies and enforcing them so they work in practice.
3. Foster a Culture of Security Ownership
Lead by Good example comes from the top. Encourage a “trust but verify” mindset, and treat configurations, audits, and reviews as standard operating procedure—not just “optional IT tasks.” When everyone understands, internalizes, and routinely acts on security guidance, you effectively close the knowing-doing gap. In conclusion, proactive enforcement and continuous validation are the antidotes to the complacency that attackers exploit. By addressing misconfigurations, upgrading outdated systems, and implementing strong authentication and access controls, organisations make it much harder for adversaries to succeed. The cost of regular testing and diligent policy enforcement is far lower than the cost of a significant breach. Companies that open themself to learning from others learn from Cybersecurity Key Performance Indicators to monitor the performance[ix] and cultivate “trust but verify” their security posture will significantly do better than others.
SOURCES
[i] J. Pfeffer and R. Sutton (2001), “The Knowing-Doing Gap: How Smart Companies Turn Knowledge into Action,” no. Harvard Business School Press, 2001.
[ii] SANS Institute – A Decade of Security Assessments: Security Issues That Refuse to Die (2025) Url: https://www.sans.org/blog/a-decade-of-security-assessments-security-issues-that-refuse-to-die/#:~:text=Organizations%20typically%20need%20a%20penetration,%E2%80%9Cfree%20consulting%20advice%2C%E2%80%9D%20with%20the
[iii] The Hidden Costs of Neglecting Penetration Testing: 5 Real-World Examples. Source: https://elitesec.io/blog/cost-of-neglecting-penetration-testing/#:~:text=Back%20in%20March%202017%2C%20there,failed%20to%20address%20the%20issue
[iv] The EU publishes all GDPR fines and there reasons via a public website in order for others to learn from this : See www.enforcementtracker.com/?insights
[v] S. Kably (2021) The Root Cause of Data Breaches Investigating security misconfigurations as the root cause of data breaches. This offers a rich repository of major breaches and their learnings. http://resolver.tudelft.nl/uuid:40c652a8-b66a-46e1-8953-c8c90398f9ee
[vi] Bobbert (2019) Get the biggest bang for your security buck Url: https://www.antwerpmanagementschool.be/en/blog/get-the-biggest-bang-for-your-security-buck
[vii] Bobbert (2022) Never trust and always verify – the increasing number of cyber threats & risks https://www.antwerpmanagementschool.be/en/blog/never-trust-and-always-verify-the-increasing-number-of-cyber-threats-risks
[viii] SolarWinds Attack Reinforces Importance of Principle of Least Privilege. Source: https://www.darkreading.com/endpoint-security/solarwinds-attack-reinforces-importance-of-principle-of-least-privilege#:~:text=In%20an%20activity%20alert%20published,and%20data%20across%20the%20organization)
[ix] Bobbert (2025) Performance Management in Information Security. URL: https://www.antwerpmanagementschool.be/en/blog/performance-management-in-information-security
