What began as a pandemic-driven necessity is now re-emerging as an economic decision: if commuting becomes too expensive, working from home (WFH) starts to look like a practical lever for both employers and employees.
But there’s a problem. Many organisations are revisiting remote work strategies without revisiting the cybersecurity foundations that support them.
The Economic Push Back to Remote Work
Rising fuel costs don’t just hit individuals—they ripple across businesses. Employees feel the strain first, and organisations quickly face pressure to respond:

• Retention risks increase as commuting becomes a financial burden
• Productivity can dip when employees are stressed or fatigued by long, costly commutes
• Talent pools shrink if roles require physical presence

Offering more flexible or remote work options is a logical response. It reduces overhead for employees and signals that the organisation is responsive and pragmatic.
However, this shift is happening faster than many organisations’ ability to reassess the risks that come with it.
The Cybersecurity Time Capsule
During COVID-19, organisations rapidly deployed remote access solutions—VPNs, cloud collaboration tools, endpoint security, and identity systems. These were often implemented under extreme time pressure, with one overriding goal: keep the business running.
Now, years later, many of those same solutions are still in place—largely unchanged.
That’s where the risk lies.
What worked as an emergency response is now being treated as a long-term strategy. But the threat landscape has evolved significantly:

• Attackers have refined phishing and social engineering tactics targeting remote workers
• Home networks remain largely unsecured and unmanaged
• Shadow IT has expanded as employees adopt tools that make remote work easier
• Identity-based attacks have become the dominant breach vector

In short, organisations are relying on “COVID-era cybersecurity” to support a fundamentally different, more permanent remote work model.
The Human Factor: The Overlooked Variable
One of the biggest gaps isn’t technological—it’s human.
During the pandemic, employees were more alert. There was a shared sense of crisis, and cybersecurity messaging cut through. Today, that urgency has faded, but the risks have not.
In fact, fatigue, distraction, and complacency can increase vulnerability:

• Employees working from home may blur boundaries between personal and professional device use
• Informal work environments can lead to relaxed security behaviours
• Increased reliance on digital communication creates more opportunities for deception

If organisations expand WFH without addressing human behaviour, they are effectively widening their attack surface.
Why This Matters to Leadership
For senior leaders, this isn’t just an IT issue—it’s a governance and resilience issue.
Remote work decisions are often made in HR, operations, or executive teams. Cybersecurity, meanwhile, is still too often treated as a technical afterthought.
That disconnect creates risk.
If fuel prices are driving a structural shift back toward remote work, then cybersecurity needs to be part of that conversation at the same level as cost, productivity, and culture.
Moving Beyond the “Set and Forget” Model
Organisations don’t need to abandon their existing cybersecurity investments—but they do need to reassess them.
A few critical questions to consider:

• Are our remote access controls still fit for purpose?
  Or are they simply what we implemented in 2020?
• Do our employees understand their role in cybersecurity today?
  Not during COVID—but now, in a hybrid, evolving environment.
• Are we measuring human risk, or just technical compliance?
• Have we adapted our policies to reflect how people actually work?

This is where a human-centric approach becomes critical. Technology alone won’t solve the problem—especially when the environment it supports has changed.
An Opportunity, Not Just a Risk
There’s a tendency to frame this as a looming problem, but it’s also an opportunity.
Organisations that proactively align their remote work strategies with modern, human-centric cybersecurity will gain:

• Greater employee trust and engagement
• Stronger resilience against evolving threats
• A competitive advantage in attracting flexible, security-conscious talent

Rising fuel prices may be the trigger—but the response can be far more strategic.
Final Thought
We’re seeing history repeat itself—but under very different conditions.
Remote work is no longer an emergency measure. It’s becoming a permanent feature of how organisations operate. Treating cybersecurity as if it’s still 2020 is a risk few can afford.
The question for leadership isn’t whether to support more flexible work—it’s whether the organisation is truly prepared to do so securely.

Last week, we asked a simple but confronting question:
When last did you test your cyber resilience?
Many organisations reflected. Some ran tabletop exercises. Others reviewed their backups, incident response plans, or security tools.
That’s a solid start.
But here’s the uncomfortable truth:
Testing yourself is not the same as being tested.
And in cybersecurity—especially in today’s AI-driven threat landscape—that distinction matters more than ever.
 
The Blind Spot Most Leaders Miss
Most cyber reviews are conducted internally or by existing providers. On paper, that sounds logical.
In reality, it creates risk.
Why?
Because internal teams and incumbent providers are often:

• Too close to the environment
• Influenced by existing assumptions
• Focused on technology rather than behaviour
• Unintentionally biased toward “everything is fine”

And critically…
They rarely challenge the human layer hard enough.
 
Cybersecurity Is No Longer Just a Technology Problem
Firewalls, endpoint protection, and AI-driven tools all have their place.
But breaches still happen because:

• Someone clicked
• Someone trusted
• Someone misunderstood
• Someone was overloaded, distracted, or under-trained

In other words:
Cybersecurity succeeds or fails at the human level.
Yet most audits still focus heavily on:

• Systems
• Configurations
• Compliance checklists

…while underweighting:

• Staff behaviour
• Decision-making under pressure
• Cultural attitudes toward security
• Leadership engagement

 
Why Independent, Human-Centric Audits Matter
An independent audit brings something different:
1. Objectivity
No internal politics. No attachment to existing tools or decisions. Just a clear view of reality.
2. Behavioural Insight
A human-centric audit doesn’t just ask “Is the system secure?”
It asks:
“Will your people act securely when it matters most?”
3. Cultural Diagnosis
It uncovers:

• Whether staff feel safe reporting mistakes
• Whether security is seen as a blocker or an enabler
• Whether leadership behaviours reinforce or undermine good practice

4. Real-World Readiness
It tests how your organisation actually responds—not how policies say it should respond.
 
The Question Every Board Should Be Asking
Not:
“Are we compliant?”
or
“Do we have the right tools?”
But:
“If something goes wrong tomorrow, how will our people respond—really?”
Because resilience is not built in documents.
It’s built in behaviours.
 
A Practical Next Step
If you’ve recently tested your cyber resilience, the next step is simple:
Validate it independently.
Look for an audit approach that:

• Prioritises human behaviour as much as technology
• Engages staff, not just systems
• Assesses culture, not just controls
• Provides practical, actionable insights—not just a report

 
Final Thought
Cybersecurity is evolving rapidly, especially with the rise of AI-driven threats.
But one thing hasn’t changed:
Your people remain both your greatest vulnerability—and your strongest defence.
The organisations that recognise this, measure it, and improve it
will be the ones that don’t just test resilience…
They prove it.
​

Most organisations believe they are “secure enough.”
They’ve invested in tools.
They’ve implemented policies.
They may even have a provider.
But here’s the uncomfortable question:
When last did you actually test your cyber resilience?
Because there is a fundamental difference between having controls… and knowing they work when it matters.
 
The Illusion of Preparedness
Cybersecurity often becomes a checklist exercise:

• Firewalls? ✔️
• Endpoint protection? ✔️
• Policies and procedures? ✔️

On paper, everything looks solid.
But cyber incidents don’t happen on paper.
They happen:

• At 4:47pm on a Friday
• When your key IT person is on leave
• When a stressed employee clicks the wrong link
• When systems behave in ways no policy ever anticipated

Resilience isn’t proven in documentation.
It’s proven under pressure.
 
Testing Reveals the Truth
If you haven’t tested your environment recently, there are critical questions you likely can’t answer with confidence:

• How quickly can your team detect a breach?
• Who makes the call to shut systems down?
• Do your staff know what “suspicious” actually looks like?
• Can your business continue operating if systems go offline?
• How effectively do your people respond—not just your technology?

A tabletop exercise or simulated attack often reveals something confronting:
The biggest gaps are rarely technical—they’re human.
 
The Human Factor: Your Strongest (or Weakest) Link
Even with advanced tools, your people remain the front line.

• Do they feel confident to report incidents quickly?
• Do they understand their role in a cyber event?
• Have they ever practised that role?

In many organisations, the answer is no.
And in a real incident, hesitation, confusion, and poor communication can cause more damage than the attack itself.
 
Resilience Is a Muscle—Not a Document
You wouldn’t expect a team to perform in a crisis without training.
Cyber resilience is no different.
It requires:

• Regular testing
• Realistic scenarios
• Cross-functional involvement (IT, HR, leadership)
• Honest reflection on gaps

This is how organisations move from theoretical security to operational resilience.
 
A Simple Challenge for Leaders
Ask yourself—and your team—today:

• When last did we test our cyber response end-to-end?
• When last did leadership actively participate in a simulation?
• When last did we review how our people—not just our tools—would perform?

If the answer is “we haven’t” or “not recently,” you’ve identified your biggest risk.
 
Finally
Cyber threats are no longer a question of if, but when.
And when that moment comes, your success won’t depend on what you bought…
It will depend on what you’ve practised.

The cyber threat landscape has changed — permanently.
You don’t need a big budget to be a target anymore.
You just need:

• An email account
• Customer data
• Or staff using AI tools

Today, even the smallest business is exposed to automated, AI-powered attacks, data leaks, and human error at scale.
And here’s the uncomfortable truth:
Most organisations still aren’t ready.
Recent global research shows that only a small minority of organisations feel fully capable of defending themselves against cyber threats, despite rising investment and awareness (PwC).
So the question isn’t: “Can we afford cybersecurity?”
It’s: “What’s the minimum we must do to survive?”
 
The New Risk Reality (Why This Matters More Than Ever)
Cyber risk is no longer just about hackers breaking in.
It’s about:

• AI-powered attacks that are faster and harder to detect (ISACA)
• Data leaks through everyday tools like generative AI platforms (Cyber Security Australia)
• Human error, still the #1 vulnerability in most businesses (IT Pro)
• Shadow AI — staff using tools without oversight

AI is accelerating both defence and attack. It’s lowering the barrier for cybercriminals while increasing the risk of accidental exposure inside your business (World Economic Forum).
 
The Minimum Cybersecurity Baseline (For Cash-Strapped Businesses)
If budget is tight, forget perfection. Focus on coverage, not complexity.
Here are the non-negotiables:
 
1. Lock Down Identity (Your Biggest Risk Surface)
Most attacks don’t “hack systems” — they log in.
Minimum actions:

• Enable Multi-Factor Authentication (MFA) on email, banking, and key systems
• Use a password manager (no shared or reused passwords)
• Remove old users and unused accounts

👉 If you do only one thing — do this.
 
2. Protect Your Email (Your Front Door)
Email is still the #1 attack vector.
Minimum actions:

• Turn on spam/phishing filtering
• Train staff to spot suspicious emails
• Implement a simple “pause and verify” culture

Because one click is all it takes.
 
3. Backups That Actually Work
Ransomware doesn’t care about your budget.
Minimum actions:

• Automatic daily backups
• Store copies offline or in a separate environment
• Test recovery (most businesses don’t)

If you can’t restore, you don’t have a backup.
 
4. Basic Device & Software Hygiene
You don’t need expensive tools — just discipline.
Minimum actions:

• Turn on automatic updates
• Use standard antivirus / endpoint protection
• Remove unsupported or unused software

Most breaches exploit known, unpatched vulnerabilities.
 
5. Know Your Data (Especially with AI)
If you don’t know where your data is — you can’t protect it.
Minimum actions:

• Identify your most sensitive data (customer, financial, staff)
• Limit who can access it
• Never upload sensitive data into AI tools without controls

Why? Because AI tools may store, process, or even reuse that data — creating real privacy and security risks (Cyber Security Australia).
 
6. Set Simple AI Rules (This Is Now Essential)
AI is already inside your business — whether you like it or not.
Minimum actions:

• Define what staff can and cannot input into AI tools
• Require human verification of AI outputs
• Approve a small set of trusted tools

AI introduces risks like:

• Data leakage
• Manipulated outputs (prompt injection)
• False information (“hallucinations”) (Cyber Security Australia)

Without guardrails, your biggest risk isn’t hackers — it’s your own people using AI incorrectly.
 
7. Train Your People (Your First Line of Defence)
Technology alone won’t save you.
Minimum actions:

• Short, regular awareness sessions (not annual tick-box training)
• Teach:
  • Phishing awareness
  • Safe AI usage
  • Reporting suspicious activity

Because cybersecurity is no longer an IT problem --
It’s a human behaviour problem.
 
8. Have a Simple “What If” Plan
Most small businesses don’t.
Minimum actions:

• Who do we call if something goes wrong?
• Can we still operate if systems go down?
• How do we communicate with customers?

Yet many businesses still don’t regularly test incident response plans, leaving them exposed to downtime and losses (IT Pro).
 
What This Looks Like in Reality
This isn’t about building a “perfect” cybersecurity programme.
It’s about:

• Reducing your biggest risks
• Covering your most likely attack paths
• Building resilience without breaking the bank

Done right, these basics will eliminate the majority of common attacks.
 
Final Thought: Cybersecurity Is Now a Leadership Issue
Cybersecurity used to be technical.
AI has made it strategic, cultural, and human.
You don’t need more tools.
You need:

• Clear priorities
• Simple controls
• Engaged people

Because in today’s environment, the question isn’t:
“Will something happen?”
It’s: “How prepared will you be when it does?”
​