For nearly seven years, a company provided critical information operations and management services to one of its client. In all that time, there was never a backup strategy in place for the client’s systems. Not once. It was never raised, never considered, never questioned. And the company in mention was not responsible for the backups. The IT department was with expensive management contracts with third parties.
Until now.
Suddenly, backups have become the biggest agenda item. But as investigations unfold, it turns out this isn’t just a backup issue — this is a symptom of a much deeper problem.
Why do businesses ignore risks until they become emergencies? Why was a foundational security practice like backups never discussed for nearly a decade? And more importantly, what else has been ignored?
This isn’t just about technology — it’s about human psychology, trust, and the dangerous assumption that everything is fine because nothing has gone wrong.
The human brain is wired to focus on immediate threats, not long-term risks. When security threats don’t visibly disrupt business operations, they become invisible in decision-making.
🔹 Recency Bias: If nothing bad has happened, we assume nothing will. Organisations base security decisions on past experiences rather than potential future risks. We can, hand on heart, say this is because a proper threat and risk assessment has never been performed. 🔹 Normalcy Bias: “We’ve always done it this way” prevents proactive security measures. If the system has worked for seven years without backups, why start now? 🔹 Optimism Bias: “It won’t happen to us.” Companies believe they are less likely to suffer a security incident than others, despite evidence to the contrary. 🔹 Diffusion of Responsibility: “It’s not our domain.” The client assumed the IT provider had backups covered. The IT provider assumed it wasn’t their responsibility. Or simply, the IT provider had no idea what they needed to do. No one asked.
The result? A critical security failure that could have been prevented with one simple question: ‘Do we have a backup strategy and do we know the real risks for the systems in question?’
For years, the client relied on a trusted IT provider. There was a strong working relationship, a history of service, and an assumption that security was being handled.
But when does trust become complacency?
🔹 Over-reliance on a single provider: Companies trust long-term partners without verification. It is not about testing the solutions only. The partners of the organisation need to be tested too.
🔹 Failure to challenge expertise: Long-term relationships make businesses less likely to question or second-guess their providers.
🔹 Lack of accountability: Assumptions replace due diligence, creating blind spots.
This raises an uncomfortable question: Is friendship killing accountability in business? If an organisation trusts an IT provider blindly, is it really managing its own risks?
Once the missing backup issue was flagged, it opened Pandora’s box.
Suddenly, deeper security concerns came to light:
When one major oversight is exposed, it often reveals a pattern of neglected risk management. If backups weren’t considered, what else is missing? We know from experience that there is no proper Threat & Risk Assessment performed.
The absence of failure does not mean the presence of security.
A business operating for years without an issue does not mean it’s secure — it means it’s been lucky. Many companies only act on risk after an incident, rather than proactively addressing vulnerabilities before they become disasters.
🛑 Crisis-Driven Security (Reactive):
✅ Proactive Security (Preventative):
The question is: Which one are you?
Security isn’t about buying tools — it’s about how people think, behave, and act.
✔ Challenge Assumptions: Just because an IT provider is trusted doesn’t mean every security risk is covered. Always ask.
✔ Verify Security, Don’t Trust It: The phrase “We thought it was there” is never an acceptable excuse. Security should be documented, tested, and confirmed.
✔ Conduct Threat and Risk Assessments: If no formal risk assessment has been done, then no one actually knows the full extent of potential threats.
✔ Move Beyond Reactive Security: Don’t wait for a security incident to force change. Make security a proactive, leadership-driven priority.
The missing backup wasn’t the real failure. The failure was never thinking about it.
Companies don’t suffer security breaches because they lack firewalls, backups, or monitoring — they suffer breaches because:
❌ They assume security is being handled without verification.
❌ They fail to prioritise security culture over convenience.
❌ They ignore risks until they become full-blown crises.
Ask yourself:
✅ Have you verified your security measures, or are you just trusting they exist?
✅ Do your IT and leadership teams actively discuss security risks, or is it an afterthought?
✅ If an attack or failure happened tomorrow, would your business survive it?
If you can’t confidently answer yes to these, then you’re not managing security — you’re gambling with it.
At Shimazaki Sentinel, we don’t sell the illusion of security — we build real resilience.
🔹 Cognitive Threat Intelligence training — Learn how attackers manipulate perception and behaviour.
🔹 Security leadership coaching — Because security starts at the top.
🔹 Practical, real-world security strategies — No fluff, no vendor lock-in, just smart security thinking.
💡 Let’s move beyond security theatre and start securing your business for real.