Despite investing millions in advanced security tools, many organizations continue to overlook fundamental cybersecurity practices, allowing cybercriminals to exploit preventable weaknesses. Simple measures like timely patching, vulnerability scanning, and penetration testing are often deprioritized, leaving companies exposed to costly breaches.
A recent analysis by Horizon3.ai, based on data from its automated penetration testing platform and a survey of 800 IT and security professionals across the U.S., U.K., and EU, highlights a stark disconnect between perceived and actual security readiness. Many organizations remain fixated on compliance checklists rather than implementing proactive defense strategies.
Stephen Gates, principal security SME at Horizon3.ai, noted, “What surprised us was the massive gap between what organizations believe is important for cybersecurity and what they’re actually doing.”
For instance, while 61% of security decision-makers recognize the importance of Mean Time to Remediate (MTTR) in reducing breach costs, 16% deprioritize it entirely. Furthermore, although 84% of organizations experienced a breach, 53% of security practitioners and 36% of CISOs admitted delaying critical security patches until scheduled maintenance, giving attackers ample opportunity to exploit known vulnerabilities.
The sheer volume of vulnerabilities makes prioritization difficult. While 98% of organizations use vulnerability scanning tools, 36% report that false positives overwhelm security teams, making it harder to focus on real threats. Only 34% consider these tools effective.
“When security teams are constantly bombarded with alerts, they start tuning them out,” Gates explains. “That leaves them unprepared when a serious risk arises.”
Many organizations struggle to determine whether vulnerabilities are truly exploitable in their specific environments. In fact, 36% of CISOs delay patching simply because they lack tools to assess the actual risk. External penetration tests also fail to provide actionable insights, with 40% of companies finding their pentesting reports outdated due to evolving system configurations.
Cloud Cybersecurity Blind Spots
As organizations increasingly adopt cloud services, security gaps widen. Horizon3.ai found that 40% of companies fail to regularly test their cloud environments, leaving them exposed to undetected vulnerabilities.
A significant barrier to improving security response times is the lack of personnel. “IT and operations teams are understaffed and stretched thin, leading to blind spots, inconsistent policies, and human errors,” says Gates.
Despite growing cybersecurity budgets—Gartner estimates global spending will reach $212 billion in 2025, up 15% from last year—breaches remain frequent. The fundamental issue, according to Horizon3.ai, is that cybersecurity remains an uphill battle.
“Defenders are forced into an asymmetric fight against attackers who innovate rapidly, exploit weaknesses instantly, and operate with seemingly unlimited resources,” the report concludes. Without a shift from compliance-driven security to proactive defense strategies, organizations will continue to fall victim to preventable cyber threats.
