"We Haven't Had a Breach, So We're Doing Fine" — Survivorship Bias in Cybersecurity

It's 1943. The U.S. military is losing bombers over Europe and needs to figure out where to add armor plating to protect the crews. So they do what seems logical: they examine every returning aircraft, map out where the bullet holes are clustered, and plan to reinforce those exact areas.

A statistician named Abraham Wald pushes back. He points out a flaw so obvious in hindsight that it's almost embarrassing: the planes they're studying are the ones that survived. The aircraft hit in the other areas never made it home. They're not in the data. By reinforcing where they see damage, the military is actually doubling down on the safe spots.

This is survivorship bias. And if you've ever said, "We've never had a breach, so we're doing fine," you're making the same mistake.

The Planes That Didn't Come Back

When a firm claims to have never experienced a breach, they're only looking at the aircraft that returned. They don't see the attacks that were deflected by luck rather than by design. They don't see the credential stuffing attempts that their email provider quietly blocked. They don't see the phishing emails that landed in spam instead of an inbox because someone else's email infrastructure caught them.

And most importantly, they don't see the breaches that already happened but haven't been detected yet.

According to Mandiant's 2025 M-Trends report, the median dwell time for attackers inside a compromised system is 11 days before detection. But that's the median. Some breaches go undetected for months or even years. A third of breaches are discovered by external entities, not by the victim organization itself. If your firm isn't actively looking, how would you know if someone is already inside?

The cognitive bias here is natural. When nothing bad happens, it feels like evidence that you're safe. But the absence of news isn't the same as absence of threat. The absence of a detected breach isn't the same as absence of a breach.

What You Can't See Can Still Hurt You

Here's a statistic that should matter to every firm owner: 47% of small businesses have no incident response plan. None. No written procedures. No designated contacts. No backup procedures. If something does happen, they'll be figuring out what to do while the damage is happening.

Only 20% of small businesses perform regular vulnerability assessments. Regular. That means 80% of firms are either doing assessments sporadically or not at all.

If you're not actively looking for problems, the absence of findings doesn't mean the absence of problems. It means you're not looking.

Think about it this way: no one cancels their fire insurance because they haven't had a fire in five years. No one stops maintaining their roof because the last leak was three years ago. The entire concept of insurance and maintenance is built on preparing for what hasn't happened yet. Security works the same way. You prepare before the incident, not after.

The firms that have experienced breaches usually discover them because of one of two reasons: they were actively monitoring and found something odd, or someone external found it and told them. Either way, the action was detection, not prevention. And detection is only possible if you're looking.

The Regulators Don't Accept "Nothing Has Happened" as a Defense

If you serve clients in the financial or healthcare space, or if you handle sensitive tax and payroll data, the FTC Safeguards Rule applies to you. And the Safeguards Rule has a specific requirement: you must maintain a continuous monitoring program. Alternatively, you must conduct annual penetration testing combined with semi-annual vulnerability assessments.

Notice the conditional: it doesn't say "if you've been breached before" or "if your risk assessment says you need it." It says you must do it. Full stop. The regulatory framework assumes that threats are constant, not that they arrive with advance notice.

The IRS agrees. Publication 4557 requires ongoing risk assessment as part of information security. Not one-time. Ongoing.

The regulators built these requirements on a single assumption: that your firm will face threats, and that the responsible move is to prepare for them whether you've had evidence of an attack or not. They're not trying to be alarmist. They're trying to prevent the mindset that got us looking at the bullet holes on the planes that made it home.

What You Can Do Today

You don't need to overhaul your entire security infrastructure next week. But you can start moving in the right direction.

1. Ask your IT provider a specific question. When was the last vulnerability scan run on your network and servers? If no one can answer with a date, or if the answer is "I'm not sure," that's your first action item. This is something that should be documented and scheduled.

2. Review your access logs. Can your IT provider show you login activity from the past 30 days? Look for patterns that seem odd: multiple failed login attempts, logins from unusual locations or times, logins from accounts belonging to people who don't work there anymore. You don't need to understand the technical details. Just ask the question and see if anyone feels uncomfortable answering it.

3. Check for inactive accounts. Do former employees or seasonal staff still have active network access? This is a simple audit that takes an afternoon and occasionally catches something important.

4. Document your current monitoring. Write down what security activities are currently in place. Vulnerability scans? Log monitoring? Email filtering? Endpoint protection? The act of documenting often reveals gaps faster than any consultant can.

5. Schedule a quarterly review. Pick a date on your calendar, invite your IT provider or MSP, and make it a standing meeting. Even if everything feels fine, this recurring conversation keeps security top of mind and ensures no one assumes someone else is handling it.

The Bottom Line

The absence of a known breach is not evidence of security. It might be evidence of effective detection. It might be evidence of good fortune. Or it might be evidence of inadequate visibility into your own systems.

The firms that are truly prepared are the ones that assume they'll face a threat and build accordingly. They don't wait for evidence of a breach to act. They build their security posture on the assumption that an attacker will eventually try, and when they do, the firm will be ready. That's the mindset that keeps you on the defensive instead of reactive.

Abraham Wald was right about the bombers. The most critical vulnerabilities are the ones you're not seeing. And the only way to change that is to stop looking at what came back, and start looking at what might not.

If you're ready to move beyond the survivorship bias and build a security program that doesn't depend on luck, that's where we come in. SafeGuardGRC helps firms like yours implement the monitoring, assessments, and controls that regulators expect and threats demand. Not because you've had a breach, but because you're thoughtful enough to prepare for the one you haven't seen yet.