There is some good news in the US data breach picture, but some bad news as well. And, looking forward, the upshot suggests that negative news is more likely than positive news to trump the data breach outlook, especially because flawed security—especially flawed security software—isn’t helping matters.

Numbers help tell the story. According to the Identity Theft Resource Center (ITRC), a nonprofit organization established to support victims of identity crime, there were 1,802 publicly-reported data breaches in 2022, down from 1,862 in 2021. This is the good news.

The bad news is that 2021 set a data breach record—naturally hard to beat quickly. And there were only 60 fewer breaches in 2022, meaning that the number of breaches was still markedly higher than the number of breaches in 2020—1,108—and in 2019—1,279.

Most important is the sticky matter of the aforementioned flaws in security software, as well as some product issues. This negatively impacts millions of customers, sometimes more, and isn’t being sufficiently addressed.

A study by the Enterprise Strategy Group found that 79 percent of organizations among nearly 400 surveyed push vulnerable software code to production at least occasionally. The biggest single reason, survey participants said, was the need to meet a critical production deadline.

Separately, according to a report by Veracode’s State of Software Security report, more than 80 percent of 85,000 applications it tested had at least one security flaw and some, many more.

One promising new development is that the federal government is finally taking this situation seriously. In a bid to force technology companies to meet minimum security standards, it’s telling technology companies, among other things, that they must build more secure software that makes technology secure by design.

The White House is also pushing the creation of so-called software bills of materials, which list the components used in applications and can shorten response times when vulnerabilities arise. One major measure under consideration would require the posting of cyber safety labels to meet minimum security standards, modeled on the federal Energy Star that certifies buildings and equipment as energy efficient.

Another arena under examination is cloud computing. The government believes that the responsibilities for security should be better shared between providers and customers. Until now, major cloud purveyors mostly operated shared responsibilities. While purveyors have been charged with ensuring that their technology is secure, users have gotten the nod for the configuration of security safeguards. The government is examining this model to provide a better security baseline.

The security challenges, particularly in software, are complicated. On the one hand, human design typically contains some flaws and problems. Some, for instance, are due to the imperfect design of fundamental Internet protocols—the set of rules governing the format of networked data. Spam, for instance, is considered difficult to fight because the protocols that handle email were never designed to stop hackers from using misleading headings.

Nonetheless, the cybersecurity industry increasingly believes that improvement is essential. Software and digital services have become more important than ever in everyday lives, enhancing the potential damage of security vulnerabilities. Too often, software is rolled out, and vulnerabilities, sometimes serious, start popping up.

Overall, the state of security is dramatically uneven across the cybersecurity software landscape. Some top vendors offer good security, but many critics say far more lack basic security investments. All add that companies need to make sure that cybersecurity is thoroughly baked into the product from the get-go. This way, risks and potential risks can be weighed and acted upon before they become problems down the line.

Among a relatively small handful of sizable technology companies with solid security credentials, Apple shines especially brightly. Its iOS is closed. It doesn’t release its source code to app developers, and the owners of iPhones and iPads can’t easily modify the code themselves on their phones, making it yet more difficult for hackers to find vulnerabilities on iOS-powered devices. Apple devices also have encryption features.

Far more typical, however, is Microsoft, which has a sizable number of security issues. Microsoft’s failure to shore up known vulnerabilities, for instance, is believed to have exacerbated the high-profile SolarWinds attack in December 2020, which impacted up to 18,000 of its customers, including federal government agencies and Fortune 500 companies. The company has also often been denounced for its Microsoft Office 365 business productivity suite. Critics say it has too many breach opportunities.

On the hardware front, meanwhile, billions of Internet of Things (IoT) devices have become notorious for their relative lack of security. They usually reside outside of the western hemisphere and typically rely on weak security. They’re almost a collection of targets for cybercriminals.

Far more of the problems are in the software arena and threaten to worsen amid the prevalence of insecure code scattered among the growing number of global digital code producers. This means that an organizational security culture—the ideas, customs, and social behaviors that influence its security—has become especially important. It will remain so until good product security programs become the norm, hopefully at some point in the future.