The biggest real world cybersecurity risks
Let's have a list of the real problems of cybersecurity in the current climate. Because it's probably not what everyone is talking about.
Supply chains
You think you buy something from this business. But they use several other suppliers. And the code of their software is built using components from public repositories. Do you have a full understanding of how that complex web of dependencies affects your data and security? I thought not.
Paper security
Congratulations. Your supplier shows you an ISO 27001 or an ISO 27018 certificate. Does that mean much? No. It just means they have a process in place. Do you know how to make sure that they actually use it fully, instead of just on paper? Do they? I've seen many an Information Security Officer who just knows how to tick off the boxes in a compliance document. Yet they have no full understanding of how technology really works and how it impacts what is written in those documents. And the fact that a Compliance officer understands a procedure, does not mean the Sales guy, or the programmer understand it as well.
No air-gap
If you have really important information, you need to think hard. It probably should not live on someone else's computer, but in your own systems, on premise. Also, it should probably not be networked at all. The more communication exists, the higher the chances of the information leaking, or someone getting interested in hacking the system. Instead of investing in SIEMs or other wildly expensive 'solutions', why not make sure the system is just not connected at all?
Public cloud
There is no real reason your data needs to be in a public cloud, managed by a hyperscaler. There's a good chance you will never need, or will be able to afford, that scalability. You also don't need 90% of the tools offered there. Consider the source when someone claims you can not run something on premise. Make your calculations, and get a heart attack when you compare the costs. The hyperscaler does not comply with EU privacy laws. Yes, they say their servers are in the EU. No, that does not matter to the GDPR. The company is a US entity. That's all that matters.
Bad user management
Sure, you have all your cool roles locked in your software. But do those people still work in your company? Is the process for deleting those accounts working correctly? And what are those roles exactly? Does everyone really still need access to all those things? If someone's job changes, do their roles in the system also change?
This is of course only a short list of all the things that can go wrong. But they are the most common, and quickly combatted by applying common sense.