Security for Beginners
by Sergey Okinchuk
Responding to an IncidentChapter 10: The Bigger Picture
Topic 41

Why Breaches Keep Happening

Concept

By this point in the course, you have seen a long list of defenses — passwords, encryption, backups, monitoring, and more. So a fair question follows: if we know all of this, why does it feel like there is a new breach in the headlines every week? It can look like the people in charge simply are not trying.

The honest answer is not incompetence. It is a built-in imbalance in the game itself. The person attacking a system only has to succeed once; the people defending it have to succeed every single time. This is the most important idea for thinking clearly about security, and it is neither cynical nor hopeless.

Picture a guard watching a long border and a single person trying to cross it. The guard has to watch every mile, all night, without a lapse. The crosser only needs to find the one quiet spot at the one quiet hour. The crosser will take their time and pick that moment — and that is exactly the position a defender is in.

The asymmetry behind almost every breach
The defender
Must protect every system, every account, and every connection — and must get it right every day, without a single off moment.
The attacker
Has to find just one weak spot, one time. They can probe patiently and wait for the one moment a defense slips.

Why the Odds Favor Persistence

When one side needs a perfect record and the other side needs a single lucky break, time is on the attacker's side. A defender who is right ninety-nine days out of a hundred has still left one open day — and a patient attacker who keeps knocking will eventually be there on that day.

This does not mean defenders are careless. It means the scoreboard is uneven by design. The same gap that would be a minor slip for the defender is the whole opening the attacker needed. Once you see this asymmetry, "why do breaches keep happening?" stops being a mystery.

More Systems Means More Doors

The imbalance gets harder because the thing being defended keeps growing. A modern organization does not run one tidy computer. It runs many systems — websites, apps, databases, laptops, phones, and a web of outside services it connects to. Each of those is another door that has to be watched.

Security people call the full set of possible ways in the attack surface — every door, window, and crack an attacker could try. From here on we will use that term. The trouble is that the attack surface tends to grow faster than anyone can lock every part of it perfectly. More features and more connections are useful, but each one widens the surface the defender has to cover.

People, Patches, and Finite Time

On top of the systems sit people, and people stay reachable. As Chapter 3 showed, a well-crafted phishing message can fool an alert person on a tired afternoon. No amount of technology removes the human at the keyboard, and the human is sometimes the easiest door.

There is also a timing gap. When a flaw is found in software, a fix — a patch, the corrected version that closes the hole — has to be written, released, and then actually applied. That takes time, and during the wait the hole is open. Real teams have limited hours and limited budgets, so patches lag and some gaps stay open longer than anyone would like. None of this is a scandal; it is the normal condition every defender works in.

Why This Isn't Hopeless

None of this has to end in despair, though. The goal of security, from the very first chapter, was never a perfect wall with zero breaches ever. The goal is to raise the cost of attacking, shrink the damage when something does get through, and notice fast when it does.

All three of those are winnable, and they demonstrably work. Strong defenses turn a quick, cheap attack into a slow, expensive one that many attackers simply give up on. Backups and good design mean a break-in costs a bad afternoon instead of the whole business. Monitoring turns months of quiet theft into a problem caught in days. "Not perfect" is a very long way from "not worth it."

The three realistic goals of security
Raise the costTurn quick, cheap attacks into slow, expensive ones
Shrink the damageLimit what a successful breach can do to the business
Notice fastCatch problems quickly so they can be stopped
Common Confusions
  • "Breaches happen only because people are incompetent." The attacker-only-needs-one-win, defender-must-win-always imbalance makes some gaps near-inevitable even for skilled, careful teams.
  • "With enough effort, breaches could be made impossible." Effort makes them rarer and far less damaging, but the asymmetry means "impossible" was never the realistic target.
  • "Since breaches are inevitable, defending is pointless." Defense changes the odds and the cost enormously. "Can't be made perfect" is very different from "not worth doing."
Why It Matters
  • It replaces both cynicism and false hope with a clear-eyed view: security is hard because of a real structural imbalance, not because everyone is failing.
  • It reinforces the spine of the whole course — manage the risk, limit the damage, and notice fast — rather than chasing a perfect record that no one can keep.

Knowledge Check

What is the core asymmetry that makes defending systems so hard?

  • The defender must win every time, but the attacker only has to win once
  • Attackers are always more skilled and better trained than the people defending the system
  • Defenders never have any money to spend on protecting their systems
  • Defenders can never see any attack that is happening to them

Why does adding more systems and connections tend to make defending harder?

  • Each one widens the attack surface, adding more possible entry points
  • Adding more systems to a network can switch off the encryption protecting all older ones
  • Extra connections remove all the legal rules that protect data
  • More systems automatically erase every backup the organization has

If perfect security is not the goal, what is security actually trying to achieve?

  • Make attacks harder, limit the damage, and catch problems quickly
  • Guarantee that no breach can ever possibly happen to anyone, ever again
  • Shut down every system so there is nothing left for anyone to attack
  • Identify and arrest one particular attacker before anything else matters

Why is "breaches are inevitable, so defending is pointless" the wrong conclusion?

  • Defense changes the odds enough that 'not perfect' is far from 'not worth it'
  • Defending really is pointless, so the only honest move is to stop trying entirely
  • Because breaches are in fact impossible once any defense at all exists
  • Because every attacker always gives up before trying anything difficult

You got correct