Key Takeaways:
- The primary cause of damage in 2025 was not sophisticated attacks, but rather ordinary systems breaking in ways that altered decision-making.
- Cyber risk is a decision problem, not just a technical one.
- Organizations need to focus on preserving decision quality under uncertainty and protecting accountability during crisis response.
- Identity-first resilience and recovery with accountability are crucial for effective cybersecurity.
- Decision integrity should be a key security objective, and organizations should design for degraded system states.
- Metrics should reflect human impact, rather than just technical performance.
Introduction to the Problem
As we reflect on 2025, it becomes clear that the year’s most significant cybersecurity challenges were not the result of sophisticated attacks or unexpected adversaries. Instead, the majority of the damage came from ordinary systems breaking in ways that quietly altered how people made decisions. This led to a erosion of confidence, a shift in judgment, and humans being forced to act without reliable truth. The real harm occurred when systems stayed online, dashboards stayed green, but the information they provided was no longer trustworthy.
The Impact on Healthcare
The ransomware attack on Change Healthcare and the incident at Ascension are prime examples of how these failures played out in the healthcare sector. While systems were eventually restored, hospitals and providers spent weeks operating with incomplete data, delayed reimbursements, and manual workarounds. The organizations experienced several failures during these attacks, including a lack of resilience in identity systems, weakened audit trails, and a focus on restoring services rather than restoring trust in data accuracy. Clinicians were unable to distinguish between unavailable systems and unreliable ones, leading to delays in treatment and a higher probability of errors in time-sensitive scenarios.
The Global Outage: A Case Study
The global outage that affected airlines, hospitals, banks, and enterprises was not the result of an attack, but rather an erroneous update to CrowdStrike’s platform. What stood out about this outage was not the technical root cause, but how quickly operational confidence collapsed. Organizations struggled to verify system state, recovery guidance varied by environment, and leaders were forced to make high-impact decisions without reliable confirmation. The update pipelines lacked effective blast radius containment, and defenders’ ability to independently verify system state was limited. The impact was significant, with flights grounded, medical services delayed, and business operations around the world grinding to a halt.
Identity and Access Failures
There were multiple incidents in 2025 where identity and access management failed, with a consistent pattern of shared administrator credentials, emergency access credentials that didn’t expire, and service accounts that bypassed controls. The process failures were the result of treating identity governance as secondary to availability, and recovery actions were not auditable end-to-end. The risks of insider threat and attackers moving laterally through the network increased, and confidence in the organization’s incident response capabilities declined. To address these issues, organizations need to implement crisis mode identity policies, post-incident access revalidation, and treat access boundaries as operational risk barriers.
Lessons Learned and the Path Forward
The defining cyber failures of 2025 were not about sophistication, but rather about scale, dependence, and uncertainty. Cybersecurity programs were built to stop attackers, restore uptime, and close vulnerabilities, but they were not built to preserve decision quality under uncertainty or protect accountability during crisis response. To move forward, cybersecurity must evolve from protecting systems to protecting human decisions made through systems. Organizations need to shift to a mindset that focuses on identity-first resilience and recovery with accountability, and decision integrity needs to become part of the organization’s security objectives. By designing for degraded system states and prioritizing human impact, many of last year’s harms can be prevented, not by stopping every incident, but by ensuring systems fail in ways people can safely understand.