​There is no doubt that now is an excellent time to consider upgrading your cybersecurity capabilities to include AI. Threat actors are already using AI to scale attacks, automate reconnaissance, and personalise social engineering at pace. Organisations that fail to evolve risk being outmatched.
However, while AI can significantly enhance detection, response, and efficiency, technology alone does not deliver resilience. The real question leaders should be asking is not “What can this AI solution do?” but “How will this solution work with our people?”
Before investing in any new AI-enabled cybersecurity solution, there are human-centric metrics that are just as critical as technical capability.


1. Usability Under Pressure
Metric: Can staff use it correctly when it matters most?
Cyber incidents rarely occur in calm conditions. If a solution is complex, noisy, or confusing, people will bypass it or misuse it—often unintentionally increasing risk.
Ask:

• Can non-technical staff understand alerts and actions?
• Does it reduce decision fatigue, or add to it?
• Is the interface intuitive during high-stress incidents?

A solution that works in theory but fails in practice offers little real protection.


2. Behavioural Impact
Metric: Does it positively influence staff behaviour?
The best security tools quietly reinforce good habits rather than relying on constant policing.
Consider:

• Does it encourage safer decision-making?
• Does it reduce risky workarounds?
• Does it support, rather than undermine, productivity?

If people see the tool as an obstacle, they will find ways around it—AI or not.


3. Trust and Transparency
Metric: Do people trust the AI’s decisions?
Black-box AI creates scepticism. If staff don’t understand why something is flagged, they are less likely to act on it.
Look for:

• Clear explanations of AI-driven decisions
• Confidence scoring or rationale, not just alerts
• The ability for humans to challenge or override decisions when appropriate

Trust is essential if you expect people to act decisively.


4. Cognitive Load Reduction
Metric: Does it make work easier, not harder?
AI should remove noise, not create more of it.
Evaluate:

• Does it reduce alert fatigue?
• Does it prioritise what truly matters?
• Does it help staff focus on judgement, not data sorting?

Human attention is a finite resource—protecting it is a security control in itself.


5. Cultural Alignment
Metric: Does it align with your organisation’s culture?
Security tools send signals. They communicate whether the organisation values:

• Control or empowerment
• Blame or learning
• Surveillance or support

AI solutions that feel intrusive or punitive can damage trust and culture, which ultimately weakens security posture.


6. Training and Enablement Requirements
Metric: How much effort is required to make people effective?
An AI solution that requires extensive retraining, constant tuning, or specialist knowledge may struggle to scale.
Key considerations:

• Time required for onboarding
• Ongoing learning demands
• Dependency on a small number of experts

Sustainable security works with the realities of time-poor teams.


7. Psychological Safety During Incidents
Metric: Does it support people when things go wrong?
When incidents occur, people need clarity and confidence—not fear.
Ask:

• Does the solution guide response, or just raise alarms?
• Does it help teams learn after incidents?
• Does it reinforce accountability without blame?

Resilience is built through learning, not punishment.


AI Is a Force Multiplier — For Better or Worse
AI can dramatically strengthen cybersecurity, but it amplifies whatever environment it is deployed into. In organisations where people feel supported, informed, and trusted, AI becomes a powerful ally. In environments where tools ignore human realities, AI can simply accelerate failure.
The most effective cybersecurity investments are those that recognise a simple truth:
Cybersecurity is ultimately a human system, supported by technology—not the other way around.
As you assess AI-enabled solutions, measure success not just in detection rates and dashboards, but in how well your people can engage with, trust, and sustain them over time.

​Many organisations confidently state that they understand how artificial intelligence is being used within their business. There may be approved tools, documented use cases, and even internal policies guiding responsible adoption.
Yet time and again, when organisations take a closer look, they are surprised — sometimes alarmed — by just how much uncontrolled or unsanctioned AI use is already happening under the surface.
This isn’t usually malicious. It’s human.
The Rise of “Shadow AI”
Just as shadow IT emerged when technology outpaced governance, we are now firmly in the era of shadow AI.
Employees are:

• Using public AI tools to draft emails, reports, or presentations
• Uploading sensitive data to get “quick insights”
• Relying on AI for decision support outside approved processes
• Experimenting with free or personal subscriptions unknown to IT or security

Often, this happens with the best of intentions — to save time, improve quality, or simply keep up with workload pressures.
But intention does not reduce risk.
Why Leadership Often Underestimates AI Usage
There are several reasons organisations misjudge the true extent of AI use:
1. AI is easy to access
No procurement process. No deployment. Just a browser and an idea.
2. Staff don’t see it as “technology risk”
Many view AI as a productivity tool, not something that falls under cybersecurity, privacy, or governance.
3. Policies lag behind behaviour
Even where AI policies exist, they’re often high-level, unclear, or poorly communicated.
4. AI adoption is happening faster than oversight
The speed of AI innovation has outpaced traditional risk and control frameworks.
The result? A growing gap between what leadership thinks is happening and what actually is.
The Hidden Risks of Uncontrolled AI Use
Unmanaged AI adoption can quietly introduce significant risk, including:

• Data leakage — confidential or regulated information shared externally
• IP loss — proprietary knowledge used to train third-party models
• Compliance breaches — privacy, financial, or industry obligations overlooked
• Inaccurate outputs — decisions influenced by hallucinated or biased responses
• Reputational damage — misuse becoming public before governance catches up

What makes this especially challenging is that these risks are often invisible — until something goes wrong.
This Is a Governance and Culture Issue, Not Just a Technical One
Trying to “block AI” rarely works. Employees will find ways around restrictions if the business value is clear.
A more effective approach starts with recognising that:

• AI use is already embedded in daily work
• People want to do the right thing but need clarity
• Trust, education, and enablement matter as much as controls

Organisations that succeed don’t just ask “What tools are being used?”
They ask:

• Why are people turning to AI?
• What problems are they trying to solve?
• How do we enable safe, approved, and transparent use?

Gaining Visibility Without Killing Innovation
Practical steps organisations can take include:

• Conducting AI usage discovery and risk reviews
• Updating policies to be practical, human-readable, and role-specific
• Training staff on safe AI use, not just prohibitions
• Clearly defining approved tools and data boundaries
• Embedding AI considerations into existing cyber and risk governance

Most importantly, organisations need to signal that they care — not just about compliance, but about helping staff use powerful tools safely and confidently.
Final Thought
The biggest AI risk for most organisations isn’t the technology they’ve approved.
It’s the AI they don’t know about — quietly shaping decisions, handling data, and influencing outcomes every day.
Visibility, governance, and a human-centric approach are no longer optional. They are essential to building trust, resilience, and long-term value in an AI-enabled workplace.
This Blog was written using AI!

​Valentine’s Day is traditionally a time to celebrate connection, trust, and relationships. But in the digital age, this season of romance also marks a spike in one of the most emotionally damaging forms of cybercrime: romance-based phishing and scam attacks.
While organisations often focus on technical controls, romance scams remind us of a simple truth — cybersecurity is not just a technology problem, it’s a human one.
Why Valentine’s Day Is Prime Time for Romance Scams
Scammers are masters of timing and psychology. Around Valentine’s Day, they deliberately exploit:

• Heightened emotions and loneliness
• Increased use of dating apps and social platforms
• A natural desire to trust, connect, and be seen
• Social pressure and embarrassment that discourages reporting

Unlike traditional phishing emails that rely on urgency or fear, romance scams play a longer game. They build rapport, establish emotional dependency, and gradually introduce requests that seem reasonable — until it’s too late.
This is why romance scams are consistently among the most financially and emotionally costly cyber crimes, often going undetected for months.
Not Just a “Personal” Problem
It’s tempting for organisations to dismiss romance scams as something that happens “outside of work”. In reality, the impact frequently crosses into the workplace:

• Compromised personal email accounts can lead to corporate credential exposure
• Financial stress affects employee wellbeing, productivity, and decision-making
• Stolen identities are later used in broader phishing or supply-chain attacks
• Employees may be targeted using information harvested from LinkedIn or corporate websites

When one person is affected, the ripple effect often extends far beyond the individual.
The Human-Centric Cybersecurity Lens
Romance scams succeed not because people are careless, but because they are human.
A human-centric cybersecurity approach acknowledges this and focuses on:

• Awareness without shame – People are far more likely to report concerns when they don’t fear judgement
• Education grounded in real scenarios – Generic phishing examples don’t prepare people for emotionally manipulative attacks
• Clear reporting pathways – If something feels “off”, staff should know exactly who to contact and what to do
• Leadership signalling – When leaders openly acknowledge these risks, it normalises vigilance

Valentine’s Day presents a natural, non-alarmist moment to have these conversations.
Red Flags Worth Repeating This Valentine’s Season
As part of seasonal awareness, it’s worth reminding teams and communities to pause if someone online:

• Pushes for secrecy or moves conversations off platforms quickly
• Avoids video calls or in-person meetings
• Claims sudden financial hardship or investment opportunities
• Expresses intense emotions very early in the relationship
• Requests gift cards, cryptocurrency, or “temporary” financial help

These signals don’t mean someone has done anything wrong — they mean it’s time to slow down and seek advice.
Turning Awareness into Resilience
Raising awareness during Valentine’s Day shouldn’t be about fear. It should be about care.
Care for employees.
Care for colleagues.
Care for families and wider communities.
By reinforcing that cybersecurity exists to protect people — not to police them — organisations can strengthen trust, resilience, and early reporting behaviours.
Because in the end, the most effective defence against romance scams isn’t a firewall or an algorithm.
It’s an informed, supported, and empowered human.

​The past several years have tested small business owners like never before. From global supply challenges and inflationary pressure to rising interest rates, owners of micro and small enterprises — especially those with fewer than 10 staff — have been pushed to their limits financially and operationally.
Yet while the economic hurdles have been front of mind, one persistent and growing risk remains under-resourced and under-prioritised: cybersecurity.
Small businesses are now prime targets for cyberattackers, not because they have the most valuable data, but because they are easier to breach — with minimal defences, limited budgets, and stretched leadership. But the good news? You don’t need a large security budget or a chief information security officer to significantly improve your cyber resilience.
Here’s a step-by-step roadmap that small, cash-strapped, and time-poor businesses can follow right now.
 
1. Change the Frame: Think of Cyber Like Insurance
Most small businesses already insure against fire, theft, or liability. Cybersecurity should be treated in the same way — not as a luxury but as a risk management cost of doing business.
Why this matters:
When owners shift from “we can’t afford it” to “we can’t afford not to”, decision-making becomes easier, investment becomes smoother, and staff take the risks seriously.
 
2. Start With What You Already Have
You don’t need to buy fancy tools to begin improving cyber resilience — you can start with existing systems and habits.
a) Secure Your Email
• Enable multi-factor authentication (MFA) for every user.
• Use strong passwords or a password manager.
MFA alone blocks a huge percentage of account breaches.
b) Update Software Automatically
Ensure operating systems, browsers, and apps are set to update automatically.
Outdated software = known vulnerabilities = cheap targets.
c) Standardise Device Protection
Install reputable antivirus/anti-malware on laptops and phones. Many reliable options exist that are free or low-cost.
 
3. Make Staff a Strength, Not a Risk
In small teams, every employee has influence over outcomes. The good news is training doesn’t need to be long or complicated.
Quick Wins
✔ 15-minute monthly micro-training
✔ One simple test phishing email per quarter
✔ Clear rules on password hygiene and device use
Small habit changes — not long courses — are enough to dramatically reduce risk.
 
4. Focus on the Essentials — Not Everything Under the Sun
A common mistake is trying to do everything at once with cyber work. Instead, stick to three priority protections:
Priority 1 — Identities & Access
Strong passwords + MFA.
Priority 2 — Data Backup
Automate backups to the cloud and test restore occasionally.
(If ransomware strikes, this alone can save your business.)
Priority 3 — Basic Network Security
Make sure Wi-Fi is encrypted (WPA2/WPA3) and guest access is separate.
These three steps don’t require specialist skills, high spending, or constant attention.
 
5. Outsource Intelligently — When You Need Help
If time is your scarcest resource, consider pay-as-you-go external support:
• Hourly cyber consulting sessions
• Managed backup providers
• Affordable tech support services
You don’t need a full-time IT/security person — just someone to help with set-up and occasional check-ups.
 
6. Prepare for Incidents Before They Happen
You can’t eliminate all risk — but you can plan for it.
Ask yourself and your team:
• Who do we call if our email is hacked?
• How quickly can we restore our systems from backups?
• Who has access to critical systems, and is that up-to-date?
A simple one-page incident playbook is worth its weight in gold during a crisis.
 
7. Build Cyber Into Routine Business Conversations
Cyber resilience shouldn’t be an annual checkbox — it should be part of regular discussions:
✔ Monthly team meetings
✔ Owner/manager check-ins
✔ Budget planning
This keeps risk visible without overwhelming already busy owners.
 
8. Take Advantage of Free or Low-Cost Resources
Governments, industry bodies, and cybersecurity non-profits offer free guides, checklists, and workshops. Seek them out.
(If you’re in New Zealand, for example, free cyber guidance is available from NZSC (www.ncsc.govt.nz. In other countries, there are similar programs.)
 
Final Thought: Resilience Is a Journey, Not a Destination
Small businesses don’t need to be perfectly secure — they just need to be ahead of the attackers’ easiest wins. By implementing a few high-impact, low-cost steps consistently, even the most resource-strained business can dramatically reduce risk.
At a time when people, reputation, and livelihood are stakes, prioritising cyber resilience isn’t optional — it’s essential.