Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Get a demo
Show main menu Hide main menu

The hidden cost of control failures: Why 84% of enterprise breaches were preventable in 2025

According to the latest research surveying 400 enterprise cybersecurity leaders, the most damaging driver of high-profile breaches isn’t about sophisticated attack vectors or zero-day exploits, but simpler and more troubling; the basics are breaking first.

Contents

    Sarah Garmston
    read
    Last updated:

    In 2025, a staggering 84% of organizations experienced breaches directly linked to control failures. These weren't caused by revolutionary hacking techniques, but by silent gaps in the very defenses organizations believed would protect them.

    With enterprises losing an average of $14 million per year to cyber events, and 62% of cybersecurity budgets wiped out by preventable control failures, the insight for cyber leaders is clear: What you can't see or validate is costing millions.

    Toxic combinations of multiple control failures

    Perhaps the most alarming discovery from the 2026 Security Leaders Peer Report reveals that three-quarters (75%) of breaches weren't triggered by a single point of failure – but from multiple control failures happening simultaneously. These "toxic combinations" turn routine control gaps into devastating security incidents.

    Key findings:

    • 55% experienced breaches from employees not following security best practices
    • 40% had inadequately encrypted data
    • 40% failed to identify suspicious activity
    • 39% were compromised through unpatched systems or applications

    What makes these failures particularly dangerous is their compounding effect. 72% of cybersecurity leaders believe AI is increasing both the risk and likelihood of so-called toxic combinations of risk, yet only 29% feel completely prepared to withstand complex attacks targeting multiple systems simultaneously.

    Dig deeper: Why control failures are the weakest link in enterprise security 

    Why continuous controls monitoring is no longer optional

    The root cause isn't a lack of awareness about the importance of strong controls - it's the inability to validate them continuously.

    Panaseer’s research reveals a critical gap in security control validation practices: Only 25% of security leaders test control performance at least weekly. For everyone else, testing happens monthly at best, with 5% of organizations reviewing control efficacy just once a year.

    This infrequent validation approach explains why 64% of leaders reported that incidents bypassed controls they believed "should have prevented" breaches. When controls are tested manually and infrequently, blind spots become inevitable - and attackers are regularly exploiting them.

    Recognizing this vulnerability, 77% of CISOs openly acknowledge that manual control assurance models are inadequate for today's threat landscape. More significantly, 8 out of 10 surveyed have identified moving to continuous, automated controls assurance as a top priority for 2026.

    The visibility crisis created by tool sprawl

    Genuine oversight into control performance and effectiveness isn’t because of a shortage of technology.

    In fact, it's an overabundance of tools and data sources that is creating dangerous complexity. Enterprise organizations now deploy an average of 61 different security tools, each generating its own dashboards, alerts, and reporting parameters.

    Rather than providing comprehensive visibility, this tool sprawl has created what 65% of leaders describe as "overwhelming fragmented data sets". The consequences are severe:

    • Only 37% of cyber teams are confident they have full visibility across their IT estate.
    • 61% state their controls environment is too complex to manage without automation.
    • 54% admit control failures only come to light post-incident.

    Perhaps most troubling, over half (54%) have no clear understanding of whether their controls are in place and working at any given time. This visibility black hole leaves organizations flying blind, discovering gaps only after breaches occur.

    Dig deeper: Why complex IT environments deliver less visibility

    From audit fatigue to automated assurance

    The financial and operational toll of inadequate security control validation extends beyond direct breach costs. Organizations are hemorrhaging resources in multiple directions:

    Audit fatigue: The average organization faces 28 internal and external audits annually, with each taking approximately 6-10 working days to prepare. Enterprise security teams collectively spent an estimated 86,000 hours preparing for audits in 2025. More concerning, 71% of organizations incurred fines due to delayed audit responses.

    Reporting burnout: Security teams dedicate 34% of their working week to collecting, analyzing, and presenting data rather than preventing threats. This manual approach to controls monitoring leaves 71% of teams experiencing reporting burnout.

    Strategic misalignment: Only 38% of CISOs feel confident that their cybersecurity reports to boards and regulators are clear and comprehensive. Without automated control testing delivering reliable, real-time data, half (50%) struggle to prove control effectiveness to leadership, making it nearly impossible to secure investment in proactive security measures.

    The 2026 imperative: Continuous Controls Monitoring

    The convergence of AI-powered threats, expanding regulatory requirements, and resource constraints has created an urgent need for transformation. 77% of CISOs believe AI-driven threats are outpacing their teams' ability to respond, yet 65% recognize that strong cyber hygiene and continuous controls monitoring remain the most critical defensive measures, even against AI-powered attacks.

    The solution is clear. 93% agree that Continuous Controls Monitoring (CCM) improves compliance and risk management. By automating security control validation and moving from point-in-time assessments to continuous monitoring, organizations can:

    • Transform thousands of manual audit preparation hours into automated evidence collection
    • Identify toxic control failure combinations before attackers exploit them
    • Provide boards with clear, accurate risk reporting tied to business impact
    • Free security teams from reporting overhead to focus on threat prevention

    The strategic roadmap for automated controls assurance in 2026 centers on five key capabilities:

    1. Continuous validation of security fundamentals through automated control testing
    2. Unified visibility that consolidates data across the entire security estate
    3. Automated audit evidence that eliminates manual compliance overhead
    4. AI-powered insights that transform raw data into prioritized action
    5. Business-aligned reporting that translates technical control performance into strategic risk language

    Control failures remain the primary cause of enterprise breaches, yet most organizations still lack the continuous visibility needed to prevent them.

    For cybersecurity leaders navigating AI-accelerated threats, expanding compliance demands, and persistent resource constraints in 2026, automated control testing and monitoring represent the clearest path from reactive incident response to proactive risk reduction.

    Read the full 2026 Security Leaders Peer Report to explore comprehensive data, industry-specific insights, and detailed implementation guidance for building a strategic continuous controls monitoring program that transforms security control validation from a data and reporting burden into a competitive advantage. 

    Related blogs

    View all blogs