Top 5 Cybersecurity Mistakes That Caused Havoc in 2024–2025
Key Takeaways
- The five most damaging cybersecurity mistakes of 2024–2025 are not exotic — they are the same structural failures repeating across industries at scale.
- Change Healthcare was breached through a single Citrix portal with no MFA enabled — a $22 million ransom and disruption to one-third of Americans followed.
- According to the Verizon DBIR 2025, human error directly caused 60% of all breaches — making it the single largest driver of successful attacks.
- The average cost of a data breach in 2024 reached $4.88 million — a 10% increase from the previous year, with healthcare and financial services bearing the heaviest losses.
- Third-party and supply chain exposure now accounts for the majority of large-scale breach events — yet most organisations still treat vendor risk as a compliance checkbox.
The Pattern Nobody Wants to Admit
Every major breach has a post-mortem. Every post-mortem has the same conclusion. And yet the same mistakes keep happening — not because organisations lack awareness, but because the gap between knowing and doing remains catastrophically wide.
2024 and 2025 produced some of the most damaging cyber incidents in recorded history. Change Healthcare paralysed US healthcare payments for weeks. Salt Typhoon compromised at least eight US telecommunications carriers. The Snowflake credential campaign exposed data across hundreds of organisations simultaneously. National Public Data leaked the personal records of nearly three billion individuals.
None of these required a zero-day. None required nation-state sophistication beyond what criminal groups now routinely deploy. All of them exploited mistakes that security teams already knew about. This analysis examines the five structural failures behind the havoc — and what closing them actually requires. For the broader framework behind proactive defence, see our piece on Exposure Management in Cybersecurity.
Deep Dive: The Five Mistakes That Keep Winning
Mistake 1 — Missing or Bypassed Multi-Factor Authentication
No single control failure caused more damage in 2024–2025 than the absence of properly implemented MFA. The evidence is unambiguous and damning.
Change Healthcare — the largest healthcare payment processor in the United States — was breached in February 2024 through a Citrix remote access portal that had no MFA enabled. The ALPHV/BlackCat ransomware group walked in using stolen credentials. UnitedHealth Group's CEO confirmed the company paid a $22 million ransom. Total estimated response costs reached $2.87 billion. The attack disrupted prescription processing and medical claims for nearly one-third of Americans.
Microsoft suffered two separate credential-based intrusions. The Midnight Blizzard (Russian state) attack in January 2024 exploited a legacy test tenant account with no MFA. Storm-0558 (Chinese state) forged authentication tokens to breach email accounts at approximately 25 organisations including US government agencies. The US Department of Homeland Security's Cyber Safety Review Board concluded the Microsoft intrusion "should never have happened" and that Microsoft's security culture required a fundamental overhaul.
Why it keeps happening:
● Legacy systems and third-party portals are routinely excluded from MFA rollouts — treated as exceptions that become permanent
● SMS and app-based MFA are now routinely bypassed by adversary-in-the-middle proxy toolkits (Evilginx, Modlishka) that harvest session tokens in real time
● Service accounts, shared accounts, and vendor accounts are systematically missed in MFA deployment programmes
What closing this gap actually requires:
Phishing-resistant MFA (FIDO2/passkeys) is now the meaningful security bar — not SMS OTP, not authenticator apps alone. Every internet-facing portal, including legacy systems and vendor access points, must be in scope. No exceptions architecture is the only architecture that works. For the identity-centric model that makes this operational, see our analysis of Zero Trust Architecture.
Mistake 2 — Unpatched Internet-Facing Systems
The 2024 Ivanti mass exploitation event demonstrated exactly what systematic exposure looks like at scale. Ivanti disclosed two zero-day vulnerabilities in January 2024 — a command injection flaw and an authentication bypass — that were already under active mass exploitation by a Chinese nation-state actor. CISA, the US primary cyber agency, was among the organisations breached. Thousands of organisations running unpatched Ivanti VPN appliances were compromised before patches could be deployed.
The pattern is not new. Ivanti followed Fortinet, Pulse Secure, Citrix, and Exchange — each of which produced mass exploitation events in prior years using the same playbook: identify a high-value internet-facing product with a large installed base, develop reliable exploitation, and scan the entire internet for vulnerable instances before defenders can patch.
The exploitation window has collapsed. In 2023, attackers took an average of 45 days to weaponise a newly published vulnerability. By 2025, that window had shrunk to 21 days — and for high-value targets, active exploitation frequently begins before a patch exists.
The compounding problem:
● Patch management remains siloed from vulnerability management in most organisations — creating a gap between knowing a patch exists and confirming it is deployed
● Internet-facing assets are frequently undiscovered in asset inventories — shadow IT, acquired infrastructure, and forgotten systems are not patched because no one knows they exist
● Risk-based prioritisation is still the exception — most patch programmes apply CVSS scores mechanically, missing that a CVE-5.4 on a perimeter system is more urgent than a CVE-9.8 on an isolated internal host
56% of organisations experienced a breach through an unknown or unmanaged internet-facing asset in 2025. You cannot patch what you cannot see.
Mistake 3 — Third-Party and Supply Chain Blind Spots
The Snowflake credential campaign of 2024 is the defining supply chain security event of the era. Attackers obtained credentials for data engineers who had administrative access to their employers' Snowflake cloud environments — credentials harvested by infostealer malware, not through any Snowflake vulnerability. The result: AT&T lost approximately 50 billion customer call and text records. Ticketmaster exposed data on 560 million users. The breach went undetected at Ticketmaster for nearly seven weeks.
AT&T suffered a second, separate breach in the same year — 73 million customer records stolen through vulnerabilities in a third-party vendor system, published on the dark web before AT&T confirmed the incident.
The structural problem is that most organisations apply rigorous security controls to their own systems and treat third-party access as a governance exercise rather than an active attack surface. Vendor risk assessments are completed annually on paper. The Salesforce OAuth supply chain attack in 2025 demonstrated the same gap at a different layer — stolen OAuth tokens gave attackers legitimate-looking access to 700-plus organisations using Salesforce instances, with 10 days of undetected data exfiltration before detection.
What the data shows:
| Dimension | Internal Systems | Third-Party / Vendor Access |
|---|---|---|
| Asset visibility | Inventoried and monitored | Frequently unknown or unmonitored |
| MFA enforcement | Usually enforced | Often excluded or inconsistent |
| Access review frequency | Quarterly or continuous | Annual compliance checkbox |
| Breach detection time | Hours to days | Weeks to months |
| Contractual security requirements | Not applicable | Rarely enforced in practice |
Third-party risk is not a vendor management problem. It is a direct attack surface problem — and it needs to be treated with the same continuous monitoring discipline as internal infrastructure.
Mistake 4 — Human Error at Industrial Scale
The Verizon Data Breach Investigations Report 2025 confirmed what practitioners already knew but boards resist acknowledging: human error directly caused 60% of all breaches. Not sophisticated attackers. Not zero-days. People making mistakes under pressure in environments that make mistakes easy.
The Ascension Healthcare ransomware attack — one of the largest healthcare breaches of 2024, disrupting 140 hospitals across 19 US states — originated from a single employee who accidentally downloaded a malicious file. National Public Data, which exposed the records of nearly three billion individuals, left a zip file containing plain text usernames and passwords accessible on their own website.
Business Email Compromise, which relies entirely on human error rather than technical exploitation, reached record losses in 2025 — $6.3 billion globally, with a median loss of $50,000 per incident. Phishing attacks surged 4,151% since the public release of ChatGPT in late 2022, as AI-generated lures became indistinguishable from legitimate communications at scale.
Why training alone does not solve this:
Security awareness training is necessary and consistently insufficient as a primary control. The problem is structural: organisations build workflows that require humans to make security-critical decisions under time pressure, with incomplete information, in interfaces that do not surface risk signals clearly. Attackers study these workflows and design their attacks around the moments of highest cognitive load.
The effective countermeasure is removing the human decision point wherever possible — technical controls that make the correct action the default action, not the educated action. Phishing-resistant MFA removes the credential theft opportunity. Email authentication (DMARC, DKIM, SPF) eliminates spoofed sender domains. Privileged access workstations remove the attack surface for malicious downloads.
Mistake 5 — Delayed Detection and Inadequate Incident Response
Detection failure is the force multiplier for every other mistake on this list. A missing MFA control is a containable incident if detected in hours. It becomes a $2.87 billion catastrophe when dwell time extends to weeks.
The Ticketmaster breach went undetected for 49 days. The National Defence Corporation fell to InterLock ransomware that remained undetected for 4–6 weeks while exfiltrating 4.2 terabytes of defence contractor data. The Salt Typhoon campaign against US telecommunications carriers persisted for months before attribution — with attackers positioned to intercept communications of senior US government and political figures.
The CrowdStrike incident of July 2024 added a different dimension: a faulty software update from a trusted security vendor caused 8.5 million Windows systems to crash simultaneously — demonstrating that detection and response capabilities must account for supply chain failures in security tooling itself, not just external adversaries.
The detection gap by numbers:
- 21 days — average time attackers now take to exploit a newly published vulnerability
- 49 days — Ticketmaster's undetected dwell time before discovery
- 4–6 weeks — National Defence Corporation dwell time before ransomware deployment
- $4.88 million — average breach cost in 2024, rising directly with dwell time
Incident response plans that exist only as documents — untested, un-exercised, and unconnected to actual detection tooling — provide the illusion of preparedness without the substance. Tabletop exercises, breach simulations, and Breach and Attack Simulation (BAS) platforms that continuously validate whether controls actually stop what they claim to stop are the operational standard. For the continuous validation framework that makes this measurable, see our guide on the CTEM Framework Decision Model 2026.
CyberNeurix Unique Angle
"The most dangerous aspect of these five mistakes is not their individual impact — it is their compounding interaction. Missing MFA enables credential theft. Unpatched systems provide the initial foothold. Third-party blind spots extend the attack surface invisibly. Human error provides the entry vector. And inadequate detection gives attackers the dwell time to do maximum damage before anyone responds. At CyberNeurix, we see the organisations that close these gaps not as those with the largest security budgets — but as those that have operationalised the discipline to treat known weaknesses as unacceptable risks rather than acceptable residual risk."
Conclusion
The five mistakes documented here are not new discoveries. They appear in every major breach report, every post-incident review, and every security framework published in the last decade. The damage they caused in 2024 and 2025 is not evidence that the threat landscape became impossibly sophisticated. It is evidence that the execution gap between knowing and doing remains the primary determinant of breach outcomes.
Closing these gaps does not require revolutionary technology. It requires MFA on every internet-facing system without exception. It requires continuous asset discovery so that unpatched systems cannot hide. It requires treating third-party access as an active attack surface rather than a compliance exercise. It requires building workflows that remove human decision points from security-critical paths. And it requires detection and response capabilities that are tested continuously — not documented and forgotten.
The organisations that suffered the most in 2024–2025 were not outgunned. They were out-disciplined.
Frequently Asked Questions
What was the single most preventable breach of 2024–2025?
Change Healthcare stands out. A Citrix portal with no MFA enabled allowed attackers using stolen credentials to breach the largest healthcare payment processor in the US. The resulting $22 million ransom payment and $2.87 billion in response costs were the direct consequence of a missing control that costs nothing to implement.
Why does human error remain the leading cause of breaches despite years of awareness training?
Training addresses knowledge gaps. Most breaches exploit workflow gaps — moments where the secure action requires more effort than the insecure action, under time pressure, in interfaces that do not surface risk. Technical controls that make the secure action the default are more effective than training alone.
How does third-party risk translate into a direct breach?
Third-party access — vendor portals, cloud integrations, OAuth tokens, contractor credentials — frequently bypasses the MFA, monitoring, and access controls applied to internal systems. Attackers target the weakest link in the access chain, which is consistently third-party and supply chain access.
What is the relationship between dwell time and breach cost?
Breach cost scales directly with dwell time. Attackers use dwell time to conduct reconnaissance, escalate privileges, exfiltrate data, and disable backups before deploying ransomware. A breach detected in hours is a containment exercise. A breach detected after weeks is a recovery operation — at multiples of the cost.
Comparative Reference: The Five Mistakes and Their Real-World Consequences
| Mistake | Representative Incident | Root Cause | Impact |
|---|---|---|---|
| Missing MFA | Change Healthcare (2024) | No MFA on Citrix portal | $2.87B response cost, $22M ransom |
| Unpatched systems | Ivanti mass exploitation (2024) | Zero-days exploited at scale | CISA and thousands of orgs breached |
| Third-party blind spots | Snowflake campaign (2024) | Infostealer credentials, no vendor MFA | AT&T 50B records, Ticketmaster 560M users |
| Human error | Ascension Healthcare (2024) | Employee downloaded malicious file | 140 hospitals disrupted across 19 states |
| Delayed detection | Salt Typhoon (2024–2025) | Months of undetected dwell time | 8 US telecoms carriers compromised |
Sources: Verizon DBIR 2025, IBM Cost of a Data Breach Report 2024, US DHS CSRB, CyberNeurix Threat Monitoring
Next Evolution: The Strategic Roadmap
As we move further into 2026, the intersection of autonomous response and identity-centric architecture will define the winner's circle in cyber defense. Stay tuned for our upcoming deep-dives into LLM-driven threat modeling and quantum-resistant network perimeters.