Adopting the Assume Breach Mindset

24 Jun 2025

In the third episode of Cyber Horror Stories, Matt O’Kane examines how adopting an “assume breach” mindset proved crucial when ransomware targeted a business. The attack exposed over 200 terabytes of sensitive data, yet the incident was contained within three hours through rapid detection and strong cyber resilience practices.

The Attack Vector

An employee unknowingly installed malicious software, believing it was legitimate open-source code. O’Kane noted that “Virus scanners are only 50 per cent effective, so you want it to be very selective on what software you run.” Once inside the network, attackers discovered access to approximately 200 terabytes of data and issued a ransom demand calculated based on the country’s expected cyber insurance coverage.

Rapid Response and Containment

The company’s IT team detected abnormal network activity and shut down compromised endpoints within three hours. O’Kane described this response as “gold-standard ability,” emphasizing that the swift detection demonstrated the value of an assume breach approach. The team isolated misbehaving workstations pending investigation.

Recovery Challenges

The incident revealed a critical gap: no backup existed for the affected data. Rather than paying the ransom, the organization developed custom tools to recover files that had been renamed rather than encrypted. Recovery efforts took approximately one month across the full dataset.

Organizational Culture

Notably, despite the employee’s unintentional introduction of malware, the company supported rather than blamed the individual—reflecting a security-conscious culture prioritizing collaborative incident response over recrimination.