GUEST ARTICLE
Cybersecurity starts with you – not IT
A wake-up call: one click is all it takes
You might think cyberattacks only happen to tech giants, banks, or governments. But I’ve seen it happen time and again—small and medium-sized businesses are hit the hardest. Why? Because they believe they’re not interesting enough to be targeted. And that’s exactly what makes them vulnerable.
In my book “Hacked, Now What?”, I set out to change that mindset. The book isn’t a technical manual filled with jargon—it’s a human guide for business leaders, entrepreneurs, and professionals who want to take back control. Cyber resilience doesn’t begin with firewalls; it begins with awareness, responsibility, and culture.
It’s not just an IT problem
Let’s clear something up right away: cybersecurity isn’t a task for the IT department alone. It’s not just about software or servers. The most dangerous threats aren’t technical—they’re human. Curiosity, fear, urgency, trust. These emotions are the doors hackers walk through.
It’s time we stop saying “talk to IT about it”. Cybersecurity is a business issue, a leadership issue, and a human issue. The moment we accept that, we can build a culture that actively protects our business, instead of leaving it up to a few people in a server room.
Phishing isn’t dead—it’s getting smarter
We’ve all seen the old-school scam emails from “Nigerian princes”, and many of us laugh them off. But phishing has evolved. Today’s emails are well-written, personalized, and dangerously convincing. Sometimes they don’t even arrive by email—they come through text messages, phone calls, or deepfake video calls that imitate your colleagues.
One wrong click can cost millions. That’s why we must stop thinking of cybersecurity as just a technical defense. It’s a training issue. A leadership issue. And, above all, a people issue.
The USB stick that brought down a hospital
Here’s a story: a USB stick, left in a hospital parking lot. Someone picks it up, plugs it into a work computer—just to see what’s on it. Instantly, malware begins spreading through the network. That’s baiting in action. And it happens far more often than you think.
Humans are curious by nature, and attackers know this. They label USBs with things like “salary details” or “party photos.” We can’t assume our people will always resist that temptation—we need to train, simulate, and create an open culture where reporting is encouraged and mistakes are learning moments, not punishable offenses.
Your greatest risk may already be inside
Insider threats are among the most overlooked dangers in any organization. Whether it’s malicious intent or just someone who doesn’t follow security protocols, insiders can do immense damage. I’ve seen cases where financial teams unintentionally shared sensitive files or where a frustrated employee quietly siphoned off data.
We can’t prevent every insider incident, but we can create an environment where vigilance is the norm. That means having clear policies, regular communication, and a culture where employees know that security is part of everyone’s job description—not just the IT team’s.
AI is both friend and foe
Artificial Intelligence is transforming everything—including cybercrime. Today, attackers use AI to create flawless phishing messages, scan for vulnerabilities, and impersonate voices in real-time. But AI can also help us: anomaly detection, behavioral monitoring, and automated response systems can provide real-time defense.
The challenge is to understand AI’s potential and its risks. It’s no longer enough to “hope” our systems are secure. We need to invest wisely, not just in tech, but in understanding the changing threat landscape. That means asking questions, staying curious, and preparing people as well as machines.
Hackers don’t break in - they walk in
Cyberattacks often follow a predictable pattern: reconnaissance, intrusion, escalation, and data exfiltration. Known as the Cyber Kill Chain, it’s a chilling but eye-opening model. The most dangerous part? In many cases, we could stop an attack early—if someone had noticed something odd and spoken up.
That’s why I always say: information security is a team sport. If employees feel safe flagging strange emails or reporting odd behavior, we stop attacks in their tracks. But that only happens in organizations where psychological safety and shared responsibility are deeply embedded.
The Human Firewall: why culture is the real defense
In all my years working in information security, one truth has become clear: you can’t patch human behavior with software. Real resilience comes from culture. A company where people are aware, empowered, and proactive will always outperform one that throws money at tools without building understanding.
That’s why creating a strong security culture must be a strategic priority. Start by involving leadership, communicating clearly, and making awareness part of your onboarding, training, and daily habits. Don’t just send out a PowerPoint once a year—make security part of the conversation.
The new skills every leader needs
As a leader, you don’t need to become a cybersecurity expert—but you do need to ask the right questions:
- Where are we most vulnerable?
- Are we training employees effectively?
- What’s our response plan if something happens?
- How quickly can we detect and contain a threat?
- Are we building a culture that encourages vigilance?
Leadership in the digital age means being able to navigate uncertainty with confidence. That starts with knowing enough to lead—not just delegate—your company’s security efforts.
Let’s talk about what’s coming
Cybersecurity is changing fast. We’re seeing trends that will impact every business: the rise of phishing-as-a-service, AI-generated deepfakes, politically motivated attacks, and vulnerabilities in remote collaboration tools. But with these risks come opportunities: to educate, to lead, to future-proof our organizations.
The biggest mistake is to think this isn’t your problem. The truth? Cybersecurity is your business. It’s your reputation. Your operations. Your clients. Your people.
Final thoughts: cyber fitness is a mindset
What I want readers to understand—what I want you to understand—is that building cyber resilience is like building physical fitness. It’s not something you achieve and forget. It’s something you train for, improve upon, and maintain over time. Even small initiatives and steps, taken in a consequent manner, can make a huge difference for organisations.
And like fitness, it doesn’t start with the perfect gear—it starts with mindset.
So, ask yourself today: Am I strengthening my team’s cyber muscles? Am I investing in the right knowledge and behaviors? Am I fostering a culture of awareness?
If the answer is “not yet”, then this is your invitation to begin. Not from fear, but from empowerment. You can protect your business. You can be ready for what’s next.