77% of Organizations have done what the security frameworks recommend. Firewalls are deployed. Antivirus is running. Password policies are documented and enforced. By every standard checklist, the baseline is covered. The breach statistics say otherwise.

Strong Adoption but Breaches are Still Rising

Two independent reports, one from the UK government, one from Sophos, surveyed thousands of organisations and arrived at the same conclusion: standard security controls are not preventing breaches at scale.

The Cyber Security Breaches Survey 2025, commissioned by the UK Department for Science, Innovation and Technology (DSIT) and the Home Office, surveyed 2,180 UK businesses.

The cyber hygiene adoption figures are strong:

  • 77% of businesses have implemented up-to-date malware protection
  • 73% have established formal password policies for staff
  • 72% have deployed network firewalls

Reading our article? Try our product:

360 Protection for Windows Servers - Zero-Risk Trial

And yet, 43% of those same businesses reported experiencing a cyber security breach or attack in the last 12 months, rising to 67% of medium businesses and 74% of large businesses. The organisations with the most mature security postures are being breached at the highest rates.

Sophos’s State of Ransomware 2025, based on direct interviews with 3,400 IT and cybersecurity leaders whose organisations had all been hit by ransomware, provides the operational detail behind why. When asked what contributed to falling victim, respondents identified near-equal failures across three categories:

  • 65% cited security gaps — either unknown vulnerabilities in their defences, or known weaknesses that had not been addressed
  • 63% cited protection issues — either an absence of sufficient solutions or security products that could not stop the attack
  • 63% cited resourcing issues — insufficient expertise or personnel capacity to detect and respond in time

Critically, 37% stated explicitly that their cybersecurity products and services were not able to stop the attack, meaning they had security tooling deployed, and it failed. These are not organisations that skipped security investment. These are organisations that discovered their investment had a ceiling. You can have nearly every standard control in place and still find yourself in the breach statistics.

Why Standard Controls Have a Security Gap

Malware scanners, firewalls, and password policies share a common design philosophy: they are built to intercept known threats at the perimeter. They excel at blocking malware signatures, filtering malicious traffic, and enforcing credential rules. What they are not designed to do is monitor what happens after an attacker gains a foothold inside your Windows Server environment.

Both reports identify attack vectors that exploit this gap. The CSBS 2025 found that phishing was reported by 85% of breached businesses, bypassing technical filters through human interaction rather than technical vulnerability. Sophos’s 2025 ransomware data aligns closely: 32% of ransomware attacks began with an exploited vulnerability, 23% used compromised credentials, and combined email-based vectors, malicious email and phishing, accounted for 37% of incidents. Because these attack paths use legitimate access methods or target human behaviour, traditional firewalls and malware scanners have no mechanism to detect them.

Consider the activity that standard controls routinely miss once an attacker is inside:

  • A compromised admin credential used during off-hours to make quiet registry changes
  • A legitimate service being reconfigured to execute malicious payloads
  • IIS virtual directories being modified to enable persistent access
  • Scheduled tasks added or altered to maintain a foothold on the server

None of these activities trigger an antivirus alert. None are stopped by a firewall. None violate a password policy. They are invisible to the tools most organisations rely on, and they represent precisely how modern attackers operate after initial access is established.

Closing the Gap Between “Protected” and “Secure”

The breach statistics from both reports are not an indictment of individual security tools. Malware protection, firewalls, and password policies are necessary controls and worth maintaining. The failure lies in treating them as a complete security posture.

A perimeter-focused security stack answers one question: “Did something bad try to get in?” It does not answer: “Has something changed on my server?

This distinction defines the gap that both the CSBS 2025 and Sophos’s State of Ransomware 2025 expose. Sophos’s own recommendations state it directly: endpoints including servers are the primary destination for ransomware actors, ensure that they are well defended, including dedicated protection to stop and roll back malicious encryption.

A Security Layer That Watches Behavior

This is the gap that Messageware Server Threat Guard (STG) is built to address. Rather than operating at the perimeter, STG runs directly on your Windows Server, continuously monitoring for the behavioural indicators that signal compromise or post-access misuse from within.

Its capabilities target the blind spots that standard controls leave open:

  • Deep server monitoring — STG tracks services, scheduled tasks, startup items, virtual directories, IIS configurations, the registry, and event logs.
  • Login and change detection — Unexpected server logins, unauthorised configuration changes, and suspicious system modifications are flagged as they happen. When an attacker reconfigures an IIS virtual directory for persistent access, STG sees it.
  • Intelligent AutoLearn — STG establishes a behavioural baseline specific to your server environment, then surfaces only meaningful irregularities, eliminating the false-positive volume that causes genuine threats to be overlooked.
  • Zero-trust data privacy — All analysis runs locally on the server; no sensitive data is transmitted externally for analysis, whether the server is deployed on-premises, in Azure, or on AWS.

Defence-in-Depth Is Not Optional

The CSBS 2025 and Sophos’s State of Ransomware 2025 arrive independently at the same finding: organisations that have implemented the recommended security baseline are still being breached at scale. The Sophos data goes further, it tells us that in 63% of ransomware incidents, the protection layer itself was part of the problem, either absent where it was needed or unable to stop the attack when tested.

The question for security leaders is no longer whether to layer defences, but which layer closes the gaps that standard controls leave exposed.

If your current stack monitors the perimeter but not the server, the data suggests that gap is exactly where attackers are operating.

Try Server Threat Guard free for 60 days — up to 5 servers, fully installed and supported. See what your current stack is missing.

UK breach statistics are sourced from the UK Government’s Cyber Security Breaches Survey 2025, published April 2025, commissioned by DSIT and the Home Office. Ransomware statistics are sourced from Sophos, State of Ransomware 2025, June 2025, based on a survey of 3,400 IT and cybersecurity leaders across 17 countries.

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Server Threat Guard (STG) for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.