Spend enough time browsing through cybersecurity communities, technical forums, or discussions among industry professionals, and you start to notice a shift in tone. Security breaches no longer feel like isolated events. Every week seems to bring another headline: a company hit by ransomware, an exposed database, a critical vulnerability exploited at record speed, a phishing campaign that looks more convincing than the last, or a debate over whether artificial intelligence is making attackers more dangerous.
La pregunta, entonces, no es descabellada: So the question is not unreasonable: are cyberattacks actually getting worse, or are we simply more aware of them?
The short answer is: probably both. There is more visibility, more reporting, more public discussion, and more media attention. But there are also clear signs that the threat landscape is changing. Not necessarily because companies have “forgotten” how to protect themselves, but because the digital environment has become more complex, more interconnected, and much harder to defend at the speed modern attackers now demand.
Correlation Does Not Always Mean Causation
When we see more breach headlines, our first reaction may be to assume that security is getting worse. But that conclusion can be incomplete. Seeing more incidents does not automatically mean every organisation is doing a worse job. It may also mean there are more connected systems, greater dependence on cloud platforms, more integrated suppliers, more data in circulation, and better mechanisms for detecting and reporting incidents.
In other words, there may be a correlation between “more breach headlines” and “more attacks”, but that does not prove a single cause.
Cybersecurity rarely has simple explanations. A single incident may involve an unpatched vulnerability, compromised credentials, configuration errors, third-party providers, social engineering, legitimate tools abused by attackers, and increasingly, some level of automation or assistance through artificial intelligence.
That is why, instead of asking whether “cybersecurity is failing”, it is more useful to ask a more precise question: what conditions are making attacks more frequent, faster, or more visible?
The First Clue: Attackers Are Exploiting Vulnerabilities Faster
One of the most important changes is how attackers gain initial access. The Verizon 2026 Data Breach Investigations Report analysed more than 31,000 real-world security incidents and more than 22,000 confirmed breaches involving organisations across 145 countries. In that report, Verizon states that vulnerability exploitation has emerged as the most common way attackers gain initial access to an organisation’s environment
This matters. For years, much of the cybersecurity conversation focused on stolen passwords, phishing, and human error. Those risks have not disappeared. But the picture is expanding: attackers are taking advantage of known technical flaws, internet-facing systems, and devices or applications that have not been updated in time.
The issue is not only that vulnerabilities exist. The issue is speed. Fortinet reported that, for critical outbreaks, time to exploit can now fall within 24 to 48 hours, compared with previous references of 4.76 days. Fortinet also noted that active exploitation attempts were observed within hours of the public disclosure of the React2Shell vulnerability.
That changes the equation for any business. If an attacker can turn a public vulnerability into a real opportunity within hours, while an organisation takes days or weeks to identify, prioritise, and remediate that exposure, the risk window becomes dangerously wide.
The Second Clue: Artificial Intelligence Does Not Replace the Attacker, but It Accelerates Them
Artificial intelligence is not the sole cause of today’s cybersecurity crisis. It would be too simplistic to say that “everything is worse because of AI”. However, AI does appear to be acting as an accelerator.
Check Point Research noted that artificial intelligence is already embedded across different phases of the attack lifecycle, helping accelerate familiar techniques with greater speed and scale. Its observations include more convincing social engineering, faster reconnaissance and targeting, and accelerated malware development.
CrowdStrike also reported that AI-enabled adversary operations increased by 89% year over year, and that the average eCrime breakout time fell to 29 minutes in 2025, with the fastest observed case taking only 27 seconds. CrowdStrike also stated that adversaries exploited legitimate GenAI tools at more than 90 organisations through malicious prompt injection, generating commands aimed at stealing credentials and cryptocurrency.
The implication is important: AI does not need to invent entirely new attacks to be dangerous. It only needs to make existing attacks more efficient. It can help write more natural phishing messages, summarise public information about a target, generate variations of code, automate reconnaissance, or reduce the time between intent and execution.
For defenders, this means response time becomes even more critical. “Reasonable” controls are no longer enough if those controls depend on slow, manual, or disconnected processes.
The Third Clue: Ransomware Has Become More Industrialised
Ransomware is not new either. What has changed is its operating model. It is no longer only about encrypting files and demanding payment. Many groups now combine data theft, reputational pressure, direct extortion, regulatory threats, and personalised negotiation.
Fortinet reported 7,831 confirmed ransomware victims globally, compared with approximately 1,600 identified in its previous report. Fortinet also linked part of that increase to the availability of criminal kits and services such as WormGPT, FraudGPT, and BruteForceAI
Check Point described ransomware operations as becoming more fragmented and targeted, with increased use of data-only extortion, more personalised tactics, and shorter attack and negotiation timelines supported by automation and AI.
This helps explain why many breaches “feel” worse. Impact is no longer measured only by how long a system was offline. It also matters whether data was stolen, whether customer information was exposed, whether operations were disrupted, whether a supplier was compromised, or whether the business had to manage public communication, compliance, and trust all at once.
The Fourth Clue: The Enterprise Perimeter Is No Longer So Clear
For a long time, many companies thought about security as a defence around their own systems. Today, that model is no longer enough. Organisations depend on cloud platforms, SaaS applications, third-party integrations, APIs, technology providers, remote devices, federated identities, and collaboration tools.
IBM stated that supply-chain and third-party compromises have increased sharply over the past five years, with incidents quadrupling according to the X-Force report discussed by IBM. IBM also reported that X-Force observed a 44% year-over-year increase in exploitation of public-facing applications, explaining that these applications are often exploited because of vulnerabilities, deployment issues, or configuration errors
This is especially relevant for companies modernising their digital operations. Cloud, connectivity, and external platforms offer major advantages, but they also expand the attack surface if they are not managed with visibility, identity control, secure configuration, and continuous monitoring.
The question is no longer only, “Are my servers secure?” Businesses also need to ask: Do I know which assets are exposed? Which suppliers have access to my data? Which identities have excessive privileges? Which public-facing applications are outdated? Which AI tools are my teams using without oversight?
So, Is It Coincidence or Causation?
It does not appear to be a simple coincidence. But there is not one single cause either.
What we're seeing is a convergence. Attackers are moving faster. Vulnerabilities are being exploited with greater urgency. AI is reducing friction in parts of the attack chain. Ransomware is operating like an industry. Companies depend on more complex digital ecosystems. And many organisations are still trying to respond with processes designed for a slower era.
The best explanation is not that “cybersecurity protocols are getting worse”. In fact, many security practices have improved. There is greater adoption of MFA, more awareness around phishing, more monitoring solutions, more managed services, and more executive-level discussion about cyber risk.
The problem is that the minimum standard has risen. What used to be an acceptable defence may now fall short against attackers that automate, scale, and exploit opportunities within hours.
What Businesses Should Do
The answer is not to panic or buy technology without a strategy. The answer is to return to the fundamentals, but execute them with more discipline and continuity.
First, businesses need real visibility over their assets. You cannot protect what you do not know exists. This includes servers, endpoints, cloud applications, users, devices, suppliers, integrations, and internet-facing systems.
Second, vulnerability management needs to become more dynamic. Occasional scanning is not enough. Organisations need to prioritise based on exposure, criticality, likelihood of exploitation, and operational impact. If a vulnerability is already being actively exploited, the clock moves faster.
Third, identity should be treated as a central perimeter. Phishing-resistant MFA, least privilege, monitoring for anomalous behaviour, and regular reviews of privileged access are essential in an environment where attackers look for valid credentials and active sessions.
Fourth, cloud and suppliers need to be part of the risk conversation. Security no longer ends with owned infrastructure. Every integration, API, service account, or provider with access can become an indirect route into the organisation.
Fifth, detection and response must be ready for speed. If attackers move in minutes, defence cannot depend exclusively on manual reviews, isolated alerts, or processes that are only tested once an incident has already happened.
An Opportunity to Mature, Not Just React
The most important conclusion is that the rise in breaches should not be read only as a sign of failure. It is also a sign of transition. Businesses are operating in a more digital, more connected world that depends more heavily on technological trust. That requires cybersecurity to become less reactive and more strategic.
For organisations in Panama, and in any globally connected market, this issue is not distant. The same cloud platforms, SaaS providers, ransomware threats, and phishing campaigns that affect large international companies can also impact local businesses, regional providers, and growing organisations.
The question is not whether a company will be “interesting” to attackers. The question is whether it has enough visibility, preparation, and response capability to reduce risk before an incident becomes a crisis.
At Shadwell, we believe modern cybersecurity is not only about blocking threats. It is about building resilience: understanding the environment, protecting critical assets, anticipating risk, responding quickly, and maintaining the trust of customers, partners, and users.
Cyberattacks are not necessarily getting worse for one single reason. They are evolving because the digital world has evolved as well. In this new environment, companies that treat security as an occasional project will be at a disadvantage against attackers that operate continuously.
The good news is that there is still room to act. But action must be continuous, measurable, and aligned with the business. Because in cybersecurity, the difference between correlation and causation may be interesting to debate; but the difference between preparation and reaction can define the future of a company.
Sources
https://research.checkpoint.com/2026/cyber-security-report-2026/
https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/
https://www.ibm.com/think/insights/more-2026-cyberthreat-trends
