The bottom line: One in six breaches involves third parties, and even rapid patches fail to prevent most incidents—therefore incident exercises must prioritize operational resilience and third-party scenarios.
The Verizon Data Breach Investigations Report 2026 analyzed over 22,000 confirmed data breaches worldwide. The central finding: organizations cannot close security gaps fast enough to prevent all incidents—even top performers remediate only 30 to 40 percent of known, exploited vulnerabilities within one week.
Vulnerability exploitation has become the most common initial access method. The median time to remediate critical gaps rose to 43 days, while the volume of critical vulnerabilities grew by 50 percent year-over-year. Despite years of investment in tools, process maturity, and regulatory pressure, remediation rates for known exploited vulnerabilities from the CISA catalog stagnated—even among high-performing organizations. This insight demonstrates that a pure patch management focus is insufficient.
Ransomware is present in 48 percent of all confirmed breaches, an increase from 44 percent in the prior year. Of victims with known organization size, 96 percent were small and medium-sized enterprises. Payment willingness is declining: 69 percent of victims refused to pay (prior year: 65 percent), and the median ransom payment fell to $139,875. Attackers are intensifying operational disruptions to force faster payment decisions—as demonstrated by attacks on Marks & Spencer (estimated £300 million in damage) and Jaguar Land Rover (£1.9 billion, five-week production halt) show.
For CISOs, this means: ransomware exercises must go beyond the payment question. Scenarios should cover operational continuity without primary systems, coordination with legal counsel and law enforcement, customer communication within regulatory deadlines, and disclosure decisions. Organizations that only rehearse the payment question practice the opening scene and ignore the rest of the drama.
Breaches involving third parties, vendors, or service providers reached 48 percent of all confirmed incidents—an increase of 60 percent over the prior year. Most tabletop exercises completely ignore this scenario. When third parties are compromised, teams need information that the vendor is slowest to provide. Exercises should simulate this friction: Which of your data were collected? What is the confirmed scope? Which protocols exist? How do you notify other affected customers? In parallel, teams must practice informing customers transparently while investigations are still ongoing—clarity builds trust, premature attribution destroys partnerships.
Source: www.csoonline.com · Published June 17, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.