03:17 AM: When Everything Goes Wrong by Jonathan Wood

There is a very specific time of day when it all seems to fall apart. For Cyber Security, that time is around 03:17 AM.

If you’re in security, you will recognise this feeling, the kind of sensation where you feel there is an elephant in the room. It’s the moment your phone lights up with an alert. You’re jolted awake. A breach. Live, active, and unfolding. Your first thought: What failed? The second: What did we think was working that clearly wasn’t?

As a fractional Cyber Security Team, we work with organisations that pride themselves on maturity, on process, on controls. And yet, I’ve been through enough of these 03:17 incidents to know this: false confidence is the most dangerous threat in the room.

Real Breaches, Real Consequences

Let’s talk about what actually happens when you get that 03:17 call. It’s rarely a sophisticated nation-state attack. More often than not, it’s a misconfigured cloud bucket. It’s an out-of-date endpoint detection tool. It’s a privileged account that wasn’t removed after a contractor left.

These aren’t zero-day headlines. They’re routine oversights. They happen because we assumed something was in place. Someone was checking. Some tool was watching.

This is the quiet killer of cybersecurity resilience – false confidence. Not malicious actors with advanced exploits. Not the breach we couldn’t possibly anticipate. But the one we could have. The one we were certain someone else had covered all of our bases.

Take this recent example from a mid-sized financial services firm. They had completed a migration to a hybrid cloud environment six months earlier. The IT director assured leadership that all backups were running nightly, with weekly validation. Everything looked green on the dashboard. When they were hit with ransomware, it wasn’t even a novel strain, just well-executed phishing, followed by lateral movement through a misconfigured account with legacy admin rights.

The moment they reached for their backups, they discovered something chilling: the backups had failed silently. Logs indicated issues for weeks. The storage was full. The validation scripts hadn’t run since the migration. The ‘tool’ was watching (yes) but it wasn’t alerting. And no one was watching the tool.

The incident cost them five days of downtime, substantial reputational damage, and weeks of internal recovery operations. Not because they didn’t invest in security, but because they believed they were safe..

One breach that has graced our newsfeeds recently started with a legacy system no one remembered was still connected to production. The attacker didn’t have to break anything. They walked in through an open door. The business impact? Millions. And reputational damage that still lingers.

The Illusion of Control

At Muse we review a lot of cyber strategies. What I see often are polished documents, great intentions, and strong statements of assurance. But when we dig beneath the surface, the control that’s promised isn’t the control that’s practiced.

Backups exist, but they’re not tested.

MFA is deployed, but not everywhere.

Incident response plans exist, but no one has opened them in six months.

It’s not malicious. It’s human. We want to believe we’re covered. We put in a tool and we mentally check the box. But discipline in cybersecurity is not about installing a tool. It’s about operating it, validating it, and revisiting it under stress.

Resilience Isn’t Exciting, But It’s Critical

One of the hardest things to sell in a boardroom is resilience. It doesn’t grab attention. It’s not the AI-enhanced shiny dashboard. It’s boring things like:

• Immutable backups

• Offsite recovery

• Logging that actually stores logs

• Teams that rehearse their incident response playbooks under pressure

We don’t talk about this enough. But when 03:17 hits, and we are worried we will receive those alerts,  these are the only things that matter.

What False Confidence Looks Like

Here are the most common signs that your organisation is being lulled into a false sense of security:

• Your metrics focus more on tools than outcomes.

• You haven’t run a full recovery drill in over a year.

• Incident response is viewed as an IT problem, not a business one.

• You think you’re not a target because you’re not “big enough.”

• Your last risk assessment didn’t include third-party dependencies.

Discipline in security means asking the hard questions, even when the answers might be uncomfortable. Being discreet doesn’t mean being unaware. And being measured isn’t being passive.

What To Do Tomorrow Morning

Here’s what I want you to do when you get into the office:

• Ask your team when the last full restore test was run.

• Review your backup coverage. Is it just critical systems, or all business-enabling services?

• Pull out your incident response plan. Who owns the decision-making?

• Check your privileged access reviews. Are they being done? Properly?

• Walk through your supply chain exposure. Not just who has access, but how that access is secured.

You don’t need to solve everything tomorrow. But you do need to start. If your strategy doesn’t include operational reality checks, it isn’t a strategy. It’s a wishlist.

Stay Ready

We can’t predict every breach. But we can prepare. We can ask the unsexy questions. We can rehearse. We can keep our backups boring, our controls sharp, and our teams calm under pressure.

03:17 AM is coming. Maybe not tonight. But it’s coming.

Will you be ready?

Until next time,

Jonathan

This piece originally appeared on LinkedIn: 0317 AM – When Everything Goes Wrong.
A newsletter, the first of a 4-part series. Stay tuned.

---