As winter settles in across New Zealand, many organisations are facing a perfect storm of challenges. Economic uncertainty continues to place pressure on budgets, ongoing geopolitical tensions in the Middle East are impacting global markets and operating costs, and organisations are simultaneously trying to understand both the opportunities and risks presented by Artificial Intelligence (AI).

At the same time, employees are feeling the strain.

Rising living costs, concerns about job security, increasing workloads, and the shorter, darker days of winter can all contribute to fatigue, stress, and disengagement. Unfortunately, these same factors can also reduce cyber vigilance at a time when cybercriminals are becoming more sophisticated and leveraging AI to scale their attacks.

The challenge for leaders is clear: How do we keep cybersecurity front of mind without creating yet another burden for already stretched employees?

Understanding the Human Factor

For many years, organisations approached cybersecurity awareness through compliance-driven training, annual courses, and periodic reminders. While these activities remain important, they often fail to account for a simple reality:

People are not security systems.

Employees are human beings balancing professional responsibilities, personal commitments, financial concerns, and their own wellbeing. When people become overwhelmed, their ability to identify suspicious emails, question unusual requests, or follow security procedures naturally declines.

Cybercriminals understand this. Modern phishing campaigns are specifically designed to exploit distraction, urgency, and emotional responses. Increasingly, AI is helping attackers create highly convincing emails, voice messages, and fake communications that are far harder to identify than the scams of previous years.

The question is no longer whether employees know what phishing is. The question is whether they can consistently apply that knowledge when under pressure.

The Impact of Economic Pressure

Periods of economic uncertainty often create conditions that increase cyber risk.

Employees may be working longer hours, covering multiple roles, or managing higher workloads following cost-cutting measures. Leaders may be focused on financial sustainability and operational efficiency. In these environments, cybersecurity can unintentionally become viewed as an obstacle rather than an enabler.

When productivity becomes the primary focus, employees may be more likely to:

• Rush through email requests.
• Ignore security warnings.
• Reuse passwords.
• Share information without proper verification.
• Circumvent security controls to save time.

None of these actions are typically malicious. They are often the result of good people trying to meet competing demands.

This is why cybersecurity culture matters. Organisations that successfully maintain cyber vigilance focus on making secure behaviours easy, practical, and relevant to employees' daily work.

AI: Both Friend and Foe

Artificial Intelligence is changing the cybersecurity landscape on both sides of the battle.

Attackers are using AI to create more convincing phishing emails, generate realistic fake websites, automate reconnaissance, and even clone voices. What once required significant technical expertise can now be achieved with widely available tools.

However, AI also provides organisations with powerful defensive capabilities, including:

• Enhanced threat detection.
• Faster incident response.
• Improved monitoring and analysis.
• Automated security operations.
• More personalised security awareness programmes.

The danger lies in assuming that technology alone will solve the problem.

No matter how advanced defensive systems become, employees remain the final decision-makers when approving payments, sharing information, or granting access. Human judgement continues to be one of the most critical layers of defence.

Organisations should therefore position AI as a tool that supports employees rather than replaces their role in security.

Winter Blues and Cybersecurity

Winter can have a surprisingly significant impact on cyber resilience.
Research consistently shows that seasonal changes can affect mood, energy levels, concentration, and motivation. Employees may experience increased fatigue, reduced engagement, and greater levels of stress during colder months.

These factors directly influence cybersecurity behaviours.

A tired employee is more likely to click a malicious link.

A distracted employee is more likely to overlook a warning sign.

A disengaged employee is less likely to report suspicious activity.

This does not mean organisations need to launch major security campaigns every winter. Instead, leaders should recognise that employee wellbeing and cybersecurity are closely connected.

Supporting staff wellbeing is not separate from cyber resilience—it is part of cyber resilience.

Five Practical Ways to Maintain Cyber Vigilance

1. Keep Security Messages Short and Relevant

Employees are already overwhelmed with information.

Rather than lengthy awareness campaigns, provide concise and practical guidance that relates directly to current threats and business activities.

A two-minute reminder about AI-generated phishing attacks may have more impact than a thirty-minute presentation.

2. Focus on Culture Rather Than Compliance

People engage more effectively when they understand why security matters.

Help employees see how their actions protect customers, colleagues, and the organisation's future rather than simply meeting compliance requirements.

Cybersecurity should feel like a shared responsibility, not an imposed obligation.

3. Celebrate Positive Behaviour

Many organisations only discuss cybersecurity when something goes wrong.

Instead, recognise employees who report suspicious emails, challenge unusual requests, or identify potential risks.

Positive reinforcement encourages ongoing engagement far more effectively than fear-based messaging.

4. Connect Cybersecurity to Wellbeing

Encourage employees to take breaks, manage workloads, and seek support when needed.

An employee who feels supported is more likely to remain alert and engaged. Human performance and cyber resilience are closely linked.

5. Make Reporting Easy

Employees should never feel embarrassed about reporting something suspicious.

Create an environment where reporting a concern is viewed as a positive action, even if the threat turns out to be harmless.

The faster employees report potential issues, the faster security teams can respond.

Leadership Sets the Tone

Ultimately, cyber vigilance is not a technology problem—it is a leadership challenge.

Employees pay close attention to organisational priorities. If leaders consistently demonstrate that cybersecurity, wellbeing, and business resilience are interconnected, employees are more likely to adopt the same mindset.

In today's environment, organisations are navigating economic pressures, geopolitical uncertainty, rapid technological change, and workforce wellbeing challenges simultaneously. Expecting employees to remain constantly vigilant without support is unrealistic.

The organisations that succeed will be those that recognise a fundamental truth:

Cybersecurity is not about creating a workforce that is constantly fearful of making mistakes. It is about building a culture where people feel informed, supported, and empowered to make good decisions, even when pressures are high.

​When organisations invest in both their people and their security culture, cyber vigilance becomes not another task on the to-do list, but a natural part of how the organisation operates every day.

​A Cyber Incident Management Plan (CIMP) is no longer a “nice to have” document that sits in a drawer waiting for a major breach. In today’s environment — where ransomware groups evolve weekly, AI-enabled phishing is becoming more convincing, and supply chain attacks can impact thousands of organisations simultaneously — a cyber incident management plan must become a living operational capability.
The challenge for many organisations is not recognising the need for a plan. It is building one that is practical, relevant, maintainable, and achievable within the reality of stretched budgets, limited time, and already overloaded teams.
The good news is that an effective cyber incident management plan does not need to be overly complex or expensive. What matters most is clarity, ownership, adaptability, and regular improvement.
Why Traditional Incident Plans Fail
Many incident response plans fail for three common reasons:

• They are too technical and disconnected from business operations.
• They are written once and never updated.
• They are tested only during a real crisis.

A 200-page document filled with technical jargon is unlikely to help executives, HR, communications teams, or frontline staff during a stressful incident. In reality, cyber incidents create business disruption, reputational damage, legal concerns, and operational uncertainty — not just technical problems.
An effective modern CIMP must therefore be:

• Business-focused
• Human-centric
• Flexible
• Easy to use under pressure
• Continuously improved

The plan should provide guidance, not rigid dependency. During a cyber incident, situations evolve rapidly and decisions often need to be made with incomplete information.
Start With Business Risk, Not Technology
One of the biggest mistakes organisations make is designing incident plans purely around technology systems.
Instead, start by asking:

• What business functions are critical?
• What would stop operations?
• What would cause reputational damage?
• What data loss would create legal or regulatory exposure?
• Which suppliers or third parties introduce risk?
• What cyber scenarios are most realistic for our organisation?

For a small manufacturer, operational downtime may be the biggest concern. For a professional services firm, client confidentiality may be paramount. For healthcare providers, patient safety becomes critical.
This approach keeps the plan relevant and aligned to real business impact rather than theoretical cyber threats.
Keep the Plan Practical and Simple
The most effective incident plans are often surprisingly concise.
A practical plan should clearly define:
1. Roles and Responsibilities
Who does what during an incident?
This should include:

• Executive leadership
• IT and security teams
• Legal
• HR
• Communications
• Operations
• External providers
• Cyber insurance contacts

People should understand:

• Who makes decisions
• Who escalates issues
• Who communicates internally
• Who speaks externally
• Who engages regulators or law enforcement

Clarity removes confusion during stressful situations.
2. Incident Severity Levels
Not every incident requires a full-scale response.
Define simple severity categories such as:

• Low impact
• Moderate impact
• Critical business disruption

This helps organisations scale their response proportionately and avoid unnecessary panic or overreaction.
3. Escalation Pathways
Teams should know:

• When to escalate
• Who to contact
• How quickly decisions must be made
• What thresholds trigger executive involvement

Speed matters enormously in cyber incidents.
4. Communication Templates
One of the most overlooked areas in incident response is communication.
Prepare templates in advance for:

• Internal staff notifications
• Customer communications
• Media holding statements
• Supplier notifications
• Regulatory reporting

During an incident, drafting communications from scratch wastes valuable time and increases risk.
5. External Dependencies
Most organisations rely heavily on external providers:

• Cloud services
• Managed service providers
• SaaS platforms
• Legal counsel
• Cyber insurance
• Incident response specialists

Document:

• Contact details
• Escalation methods
• Contract obligations
• Support arrangements
• After-hours contacts

In many incidents, external coordination becomes one of the biggest operational challenges.
Build a “Living” Plan
Cyber threats evolve too quickly for static documentation.
A modern CIMP should be treated like any operational process:

• Reviewed regularly
• Updated after changes
• Improved after exercises
• Adjusted for new threats

Organisations should review their plan:

• After major incidents
• After significant technology changes
• Following organisational restructures
• Following supplier changes
• At least annually

Importantly, organisations should avoid chasing perfection. A current, usable 15-page plan is far more valuable than an outdated 150-page document.
Testing Does Not Need to Be Expensive
Many organisations avoid testing because they assume it requires costly consultants, large simulations, or significant downtime.
In reality, meaningful testing can be lightweight and highly effective.
Start With Tabletop Exercises
A tabletop exercise is simply a structured discussion around a realistic scenario.
For example:
“A staff member clicks a phishing email and ransomware begins encrypting shared files. What happens next?”
Walk through:

• Who gets notified
• What decisions are made
• What systems are impacted
• How communications occur
• What external parties are contacted

Even a 60-minute discussion can expose:

• Unclear ownership
• Missing contacts
• Decision bottlenecks
• Communication gaps
• Technical assumptions

These exercises are low-cost and highly valuable.
Test Decision-Making, Not Just Technology
Many organisations focus purely on technical recovery testing.
However, the biggest challenges during incidents are often:

• Leadership uncertainty
• Communication failures
• Delayed decisions
• Conflicting priorities
• Lack of coordination

Testing should therefore include executives and business teams — not just IT.
Cyber resilience is ultimately an organisational capability, not solely a technical one.
Keep Exercises Realistic
Overly dramatic “Hollywood-style” scenarios can overwhelm teams and reduce engagement.
Instead, focus on realistic scenarios relevant to the organisation:

• Business email compromise
• Ransomware
• Supplier compromise
• Insider threats
• Cloud platform outages
• AI-enabled phishing attacks

Relevance improves participation and learning outcomes.
Create Continuous Improvement Loops
Every test, exercise, or incident should generate lessons learned.
After each exercise, ask:

• What worked well?
• What caused confusion?
• What slowed response times?
• Were responsibilities clear?
• Were communications effective?
• What assumptions proved incorrect?

Then update the plan accordingly.
This continuous improvement mindset is what keeps a plan relevant over time.
Human Factors Matter Most
Technology alone will never solve incident response challenges.
People make decisions under pressure, often with incomplete information and emotional stress. Fatigue, uncertainty, and communication breakdowns can significantly worsen incidents.
That is why organisations should prioritise:

• Clear communication
• Role clarity
• Psychological preparedness
• Leadership engagement
• Cross-functional collaboration

The strongest cyber resilience comes from organisations where staff understand their role in managing incidents — not just preventing them.
Focus on Progress, Not Perfection
Many organisations delay building or testing a plan because they feel under-resourced or insufficiently mature.
But cyber resilience is not about perfection.
It is about:

• Improving readiness over time
• Reducing uncertainty
• Increasing coordination
• Strengthening decision-making
• Recovering faster when incidents occur

Even small improvements can significantly reduce operational disruption and reputational damage.
The organisations that respond best to cyber incidents are rarely the ones with the largest budgets. They are usually the ones that prepared realistically, tested consistently, communicated clearly, and continuously adapted to change.
In a rapidly evolving cyber landscape, the most valuable incident management plan is not the most sophisticated one.
It is the one your organisation can actually use.

​Artificial Intelligence (AI) is no longer a technology reserved for large enterprises with massive budgets and dedicated innovation teams. Today, small businesses are increasingly adopting AI-powered tools to improve productivity, automate repetitive tasks, enhance customer service, strengthen marketing efforts, and gain operational efficiencies.
From AI chatbots and automated accounting systems to AI-generated content and workflow automation, the opportunities for small businesses are significant.
However, alongside these opportunities comes an equally important conversation: security.
While AI can deliver tremendous business value, implementing it without understanding the associated risks can expose businesses to cyber threats, compliance failures, reputational damage, and operational disruption. For small businesses, which often have limited cybersecurity resources, these risks can be particularly impactful.
The key is not to avoid AI — it is to implement it responsibly.
The Growing Security Challenges of AI
AI systems rely heavily on data. The more data an AI tool can access, the more powerful and useful it becomes. Unfortunately, this also creates new security and privacy concerns.
Many small businesses are unknowingly exposing sensitive information when employees use publicly available AI tools without governance or oversight. Confidential customer information, financial data, internal procedures, intellectual property, or strategic business plans may be entered into AI platforms without fully understanding how that data is stored, processed, or reused.
Some of the most common AI-related security risks include:
Data Leakage
Employees may unintentionally upload confidential information into AI systems. Once sensitive data leaves the organization’s controlled environment, businesses may lose visibility and control over how it is handled.
AI-Enhanced Cybercrime
Cybercriminals are now using AI to improve phishing attacks, automate scams, generate convincing fake communications, and identify vulnerabilities faster than ever before. Small businesses are increasingly targeted because attackers assume they have weaker security controls.
Compliance and Privacy Risks
Businesses operating under privacy regulations must ensure AI usage aligns with legal obligations surrounding data protection, customer consent, and information handling. Failure to do so can result in financial penalties and reputational harm.
Over-Reliance on AI
AI can accelerate decision-making, but it is not infallible. Inaccurate outputs, hallucinations, bias, or poor recommendations can create operational and reputational risks if human oversight is removed from the process.
Shadow AI
One of the fastest-growing concerns is “Shadow AI” — where employees independently adopt AI tools without approval from IT or leadership. This creates significant visibility and governance challenges for organizations.
Why Small Businesses Cannot Afford to Ignore AI
Despite the risks, avoiding AI altogether is not a sustainable strategy.
Businesses that fail to adopt AI may struggle to remain competitive as larger and more agile organizations leverage automation and data-driven insights to reduce costs and improve customer experiences.
The real challenge is not whether businesses should adopt AI — it is how they adopt AI safely and strategically.
Organizations that approach AI implementation through a security and governance lens are far more likely to realize its benefits while minimizing exposure to risk.
Offsetting AI Risks Through Governance and Security
AI implementation should never occur in isolation from cybersecurity and business governance practices.
Small businesses can significantly reduce their exposure by taking a structured and human-centric approach.
Establish Clear AI Usage Policies
Employees need guidance on:

• Which AI tools are approved
• What data can and cannot be entered into AI platforms
• How AI-generated outputs should be validated
• Security and privacy expectations

Clear policies reduce uncertainty and help prevent accidental exposure of sensitive information.
Focus on Employee Awareness
Technology alone cannot solve AI security challenges.
Staff remain one of the most critical components of organizational security. Businesses should ensure employees understand:

• The risks associated with AI tools
• How cybercriminals may exploit AI
• The importance of protecting sensitive information
• How to identify AI-generated scams or phishing attempts

A culture of cyber awareness is essential.
Conduct Risk Assessments Before Adoption
Before implementing any AI solution, businesses should ask:

• What data will the AI access?
• Where is that data stored?
• Who owns the information entered into the platform?
• Does the vendor meet security standards?
• What happens if the AI tool experiences a breach?
• Are there regulatory implications?

These assessments help businesses make informed decisions rather than reactive ones.
Apply Cybersecurity Fundamentals
Many AI-related risks can be mitigated through strong foundational cybersecurity practices, including:

• Multi-factor authentication
• Access controls
• Data classification
• Endpoint protection
• Regular software updates
• Security monitoring
• Backup and recovery processes

Strong cyber hygiene remains essential, regardless of the technology being adopted.
The Role of Risk Management in AI Decision-Making
Risk management plays a critical role in helping businesses balance innovation with security.
Too often, organizations view cybersecurity as a barrier to progress. In reality, effective risk management enables smarter and more confident business decisions.
Rather than asking:
“Is AI safe?”
Businesses should ask:
“How do we implement AI while managing acceptable levels of risk?”
This shift in thinking is important.
Every business decision carries some level of risk — whether financial, operational, legal, or reputational. AI adoption is no different. The goal of risk management is not to eliminate all risk, but to identify, assess, prioritize, and control it appropriately.
For small businesses, this means:

• Understanding which AI tools create the greatest exposure
• Determining what level of risk is acceptable
• Implementing safeguards proportionate to the business
• Continuously reviewing and adapting controls as AI evolves

A structured risk management process allows organizations to:

• Make informed technology investments
• Improve resilience
• Protect customer trust
• Support compliance obligations
• Reduce the likelihood and impact of cyber incidents

Most importantly, it allows businesses to adopt AI with confidence rather than fear.
Human-Centric Security Matters More Than Ever
As AI becomes more integrated into business operations, the human element of cybersecurity becomes increasingly important.
Technology can strengthen productivity and resilience, but people remain central to secure decision-making.
Businesses that combine AI innovation with strong governance, cyber awareness, and risk management practices will be far better positioned to succeed in the evolving digital landscape.
The future of AI in small business is not about replacing people — it is about empowering them safely.
Final Thoughts
AI presents enormous opportunities for small businesses to improve efficiency, competitiveness, and growth. However, without proper governance and security considerations, those same tools can introduce significant risks.
 
The organizations that will benefit most from AI are not necessarily the ones that adopt it the fastest, but the ones that adopt it the smartest.
By embedding cybersecurity, human awareness, and risk management into AI decision-making processes, small businesses can confidently embrace innovation while protecting their operations, employees, customers, and reputation.
AI should not be viewed purely as a technology decision.
It is ultimately a business risk and resilience decision.

“I’ve got a bad feeling about this.”
It’s a line we all recognise.
And in cybersecurity today, it’s more relevant than ever.
Because many organisations are still thinking about cyber risk like it’s the Death Star--
a big, obvious target protected by strong defences.
But modern attacks don’t look like that.
They look more like the Empire’s real strategy:

• Subtle
• Persistent
• Focused on influence, not just force

And most importantly—they exploit people.
 
The Illusion of Control: “Our Shields Are Strong”
Many leaders still believe their organisation is protected because they’ve invested in:

• Firewalls (deflector shields)
• Endpoint tools (stormtroopers on patrol)
• Backups (escape pods)

Important? Yes.
Enough? Not even close.
Because the Empire doesn’t attack the shield first.
It finds the weakness in behaviour.
 
The Business Owner: When the Empire Strikes Back
You’re running your organisation—your Rebel base.
Everything is operating smoothly… until suddenly, it isn’t.
Your operations grind to a halt
This isn’t a clean battle.
It’s confusion:

• Systems locked
• Communications disrupted
• Teams unsure what to do next

Not because you lack technology—but because your people weren’t prepared for the moment.
 
Your data is already in enemy hands
Before you even realise what’s happening, the Empire has:

• Customer data
• Financial information
• Internal communications

The threat isn’t just destruction—it’s exposure.
 
You’re pulled into a negotiation you can’t win
Pay the ransom.
Don’t pay the ransom.
Either way, you’re dealing with an opponent that doesn’t follow rules.
There’s no Jedi Council to appeal to.
 
Your reputation takes the hit
In the eyes of your customers and partners:
“This organisation lost control.”
And in business, trust—like the Force—is everything.
Once it’s shaken, it’s difficult to restore.
 
Your people feel the impact first
Stress rises.
Confidence drops.
Questions surface:

• “Were we prepared?”
• “Did leadership take this seriously?”

Because in the end, it’s not just a technical failure.
It’s a leadership moment.
 
The Senior Manager: You Are the Target
Now let’s shift perspective.
You’re a senior leader.
You might think the battle is happening “out there”—in systems and infrastructure.
But in reality…
You’re the doorway.
 
Your identity becomes the perfect disguise
If the Empire can become you, it doesn’t need to break in.
With access to your personal accounts, it can:

• Message your team
• Approve payments
• Influence decisions

This isn’t hacking systems.
It’s manipulating trust—like a Jedi mind trick in reverse.
 
Your network becomes the map
Your email.
Your LinkedIn.
They reveal:

• Who you trust
• Who trusts you
• How your organisation operates

To an attacker, this is more valuable than any technical diagram.
 
The attack becomes personal
Messages that feel real.
Requests that seem urgent.
Context that makes sense.
Because they’re built from your world.
 
The line between personal and professional disappears
There is no separation anymore.
Your personal behaviour—passwords, MFA, habits--
becomes your organisation’s vulnerability.
 
The Real Problem: We’re Fighting the Wrong War
Too many organisations are still preparing for a direct assault.
But today’s attackers operate more like the Emperor:

• Manipulating from the shadows
• Exploiting behaviour
• Turning your own people into the entry point

 
A Human-Centric Defence: Building Your Jedi Order
If attacks are human-led, defence must be human-centric.
Not by blaming people—but by empowering them.
 
Design systems people can actually use
If security creates friction, people will work around it.
Even the best intentions fail under pressure.
 
Build awareness that feels real—not theoretical
Training shouldn’t feel like a briefing from a distant galaxy.
It should reflect:

• Real scenarios
• Real pressures
• Real decisions your people face

 
Create a culture where people speak up early
You don’t want silence.
You want:
“Something feels off… I’m flagging it.”
That’s your early warning system.
 
Equip leaders to lead in the moment
When something happens, your people don’t look to IT.
They look to leadership.
And the question becomes:
“Are we calm, clear, and decisive—or reacting in chaos?”
 
So… What’s the Worst That Can Happen?
The worst case isn’t just being attacked.
It’s this:

• Your people aren’t prepared
• Your leaders aren’t aligned
• Your culture works against your controls
• And when the moment comes… you hesitate

 
A Better Question
Instead of asking:
“What’s the worst that can happen?”
Ask:
“Have we trained and equipped our people to respond when the Force is tested?”
Because resilience isn’t built in systems alone.
It’s built in people, behaviour, and leadership.
 
May the Force be with you.
​

What began as a pandemic-driven necessity is now re-emerging as an economic decision: if commuting becomes too expensive, working from home (WFH) starts to look like a practical lever for both employers and employees.
But there’s a problem. Many organisations are revisiting remote work strategies without revisiting the cybersecurity foundations that support them.
The Economic Push Back to Remote Work
Rising fuel costs don’t just hit individuals—they ripple across businesses. Employees feel the strain first, and organisations quickly face pressure to respond:

• Retention risks increase as commuting becomes a financial burden
• Productivity can dip when employees are stressed or fatigued by long, costly commutes
• Talent pools shrink if roles require physical presence

Offering more flexible or remote work options is a logical response. It reduces overhead for employees and signals that the organisation is responsive and pragmatic.
However, this shift is happening faster than many organisations’ ability to reassess the risks that come with it.
The Cybersecurity Time Capsule
During COVID-19, organisations rapidly deployed remote access solutions—VPNs, cloud collaboration tools, endpoint security, and identity systems. These were often implemented under extreme time pressure, with one overriding goal: keep the business running.
Now, years later, many of those same solutions are still in place—largely unchanged.
That’s where the risk lies.
What worked as an emergency response is now being treated as a long-term strategy. But the threat landscape has evolved significantly:

• Attackers have refined phishing and social engineering tactics targeting remote workers
• Home networks remain largely unsecured and unmanaged
• Shadow IT has expanded as employees adopt tools that make remote work easier
• Identity-based attacks have become the dominant breach vector

In short, organisations are relying on “COVID-era cybersecurity” to support a fundamentally different, more permanent remote work model.
The Human Factor: The Overlooked Variable
One of the biggest gaps isn’t technological—it’s human.
During the pandemic, employees were more alert. There was a shared sense of crisis, and cybersecurity messaging cut through. Today, that urgency has faded, but the risks have not.
In fact, fatigue, distraction, and complacency can increase vulnerability:

• Employees working from home may blur boundaries between personal and professional device use
• Informal work environments can lead to relaxed security behaviours
• Increased reliance on digital communication creates more opportunities for deception

If organisations expand WFH without addressing human behaviour, they are effectively widening their attack surface.
Why This Matters to Leadership
For senior leaders, this isn’t just an IT issue—it’s a governance and resilience issue.
Remote work decisions are often made in HR, operations, or executive teams. Cybersecurity, meanwhile, is still too often treated as a technical afterthought.
That disconnect creates risk.
If fuel prices are driving a structural shift back toward remote work, then cybersecurity needs to be part of that conversation at the same level as cost, productivity, and culture.
Moving Beyond the “Set and Forget” Model
Organisations don’t need to abandon their existing cybersecurity investments—but they do need to reassess them.
A few critical questions to consider:

• Are our remote access controls still fit for purpose?
  Or are they simply what we implemented in 2020?
• Do our employees understand their role in cybersecurity today?
  Not during COVID—but now, in a hybrid, evolving environment.
• Are we measuring human risk, or just technical compliance?
• Have we adapted our policies to reflect how people actually work?

This is where a human-centric approach becomes critical. Technology alone won’t solve the problem—especially when the environment it supports has changed.
An Opportunity, Not Just a Risk
There’s a tendency to frame this as a looming problem, but it’s also an opportunity.
Organisations that proactively align their remote work strategies with modern, human-centric cybersecurity will gain:

• Greater employee trust and engagement
• Stronger resilience against evolving threats
• A competitive advantage in attracting flexible, security-conscious talent

Rising fuel prices may be the trigger—but the response can be far more strategic.
Final Thought
We’re seeing history repeat itself—but under very different conditions.
Remote work is no longer an emergency measure. It’s becoming a permanent feature of how organisations operate. Treating cybersecurity as if it’s still 2020 is a risk few can afford.
The question for leadership isn’t whether to support more flexible work—it’s whether the organisation is truly prepared to do so securely.

Last week, we asked a simple but confronting question:
When last did you test your cyber resilience?
Many organisations reflected. Some ran tabletop exercises. Others reviewed their backups, incident response plans, or security tools.
That’s a solid start.
But here’s the uncomfortable truth:
Testing yourself is not the same as being tested.
And in cybersecurity—especially in today’s AI-driven threat landscape—that distinction matters more than ever.
 
The Blind Spot Most Leaders Miss
Most cyber reviews are conducted internally or by existing providers. On paper, that sounds logical.
In reality, it creates risk.
Why?
Because internal teams and incumbent providers are often:

• Too close to the environment
• Influenced by existing assumptions
• Focused on technology rather than behaviour
• Unintentionally biased toward “everything is fine”

And critically…
They rarely challenge the human layer hard enough.
 
Cybersecurity Is No Longer Just a Technology Problem
Firewalls, endpoint protection, and AI-driven tools all have their place.
But breaches still happen because:

• Someone clicked
• Someone trusted
• Someone misunderstood
• Someone was overloaded, distracted, or under-trained

In other words:
Cybersecurity succeeds or fails at the human level.
Yet most audits still focus heavily on:

• Systems
• Configurations
• Compliance checklists

…while underweighting:

• Staff behaviour
• Decision-making under pressure
• Cultural attitudes toward security
• Leadership engagement

 
Why Independent, Human-Centric Audits Matter
An independent audit brings something different:
1. Objectivity
No internal politics. No attachment to existing tools or decisions. Just a clear view of reality.
2. Behavioural Insight
A human-centric audit doesn’t just ask “Is the system secure?”
It asks:
“Will your people act securely when it matters most?”
3. Cultural Diagnosis
It uncovers:

• Whether staff feel safe reporting mistakes
• Whether security is seen as a blocker or an enabler
• Whether leadership behaviours reinforce or undermine good practice

4. Real-World Readiness
It tests how your organisation actually responds—not how policies say it should respond.
 
The Question Every Board Should Be Asking
Not:
“Are we compliant?”
or
“Do we have the right tools?”
But:
“If something goes wrong tomorrow, how will our people respond—really?”
Because resilience is not built in documents.
It’s built in behaviours.
 
A Practical Next Step
If you’ve recently tested your cyber resilience, the next step is simple:
Validate it independently.
Look for an audit approach that:

• Prioritises human behaviour as much as technology
• Engages staff, not just systems
• Assesses culture, not just controls
• Provides practical, actionable insights—not just a report

 
Final Thought
Cybersecurity is evolving rapidly, especially with the rise of AI-driven threats.
But one thing hasn’t changed:
Your people remain both your greatest vulnerability—and your strongest defence.
The organisations that recognise this, measure it, and improve it
will be the ones that don’t just test resilience…
They prove it.
​

Most organisations believe they are “secure enough.”
They’ve invested in tools.
They’ve implemented policies.
They may even have a provider.
But here’s the uncomfortable question:
When last did you actually test your cyber resilience?
Because there is a fundamental difference between having controls… and knowing they work when it matters.
 
The Illusion of Preparedness
Cybersecurity often becomes a checklist exercise:

• Firewalls? ✔️
• Endpoint protection? ✔️
• Policies and procedures? ✔️

On paper, everything looks solid.
But cyber incidents don’t happen on paper.
They happen:

• At 4:47pm on a Friday
• When your key IT person is on leave
• When a stressed employee clicks the wrong link
• When systems behave in ways no policy ever anticipated

Resilience isn’t proven in documentation.
It’s proven under pressure.
 
Testing Reveals the Truth
If you haven’t tested your environment recently, there are critical questions you likely can’t answer with confidence:

• How quickly can your team detect a breach?
• Who makes the call to shut systems down?
• Do your staff know what “suspicious” actually looks like?
• Can your business continue operating if systems go offline?
• How effectively do your people respond—not just your technology?

A tabletop exercise or simulated attack often reveals something confronting:
The biggest gaps are rarely technical—they’re human.
 
The Human Factor: Your Strongest (or Weakest) Link
Even with advanced tools, your people remain the front line.

• Do they feel confident to report incidents quickly?
• Do they understand their role in a cyber event?
• Have they ever practised that role?

In many organisations, the answer is no.
And in a real incident, hesitation, confusion, and poor communication can cause more damage than the attack itself.
 
Resilience Is a Muscle—Not a Document
You wouldn’t expect a team to perform in a crisis without training.
Cyber resilience is no different.
It requires:

• Regular testing
• Realistic scenarios
• Cross-functional involvement (IT, HR, leadership)
• Honest reflection on gaps

This is how organisations move from theoretical security to operational resilience.
 
A Simple Challenge for Leaders
Ask yourself—and your team—today:

• When last did we test our cyber response end-to-end?
• When last did leadership actively participate in a simulation?
• When last did we review how our people—not just our tools—would perform?

If the answer is “we haven’t” or “not recently,” you’ve identified your biggest risk.
 
Finally
Cyber threats are no longer a question of if, but when.
And when that moment comes, your success won’t depend on what you bought…
It will depend on what you’ve practised.

The cyber threat landscape has changed — permanently.
You don’t need a big budget to be a target anymore.
You just need:

• An email account
• Customer data
• Or staff using AI tools

Today, even the smallest business is exposed to automated, AI-powered attacks, data leaks, and human error at scale.
And here’s the uncomfortable truth:
Most organisations still aren’t ready.
Recent global research shows that only a small minority of organisations feel fully capable of defending themselves against cyber threats, despite rising investment and awareness (PwC).
So the question isn’t: “Can we afford cybersecurity?”
It’s: “What’s the minimum we must do to survive?”
 
The New Risk Reality (Why This Matters More Than Ever)
Cyber risk is no longer just about hackers breaking in.
It’s about:

• AI-powered attacks that are faster and harder to detect (ISACA)
• Data leaks through everyday tools like generative AI platforms (Cyber Security Australia)
• Human error, still the #1 vulnerability in most businesses (IT Pro)
• Shadow AI — staff using tools without oversight

AI is accelerating both defence and attack. It’s lowering the barrier for cybercriminals while increasing the risk of accidental exposure inside your business (World Economic Forum).
 
The Minimum Cybersecurity Baseline (For Cash-Strapped Businesses)
If budget is tight, forget perfection. Focus on coverage, not complexity.
Here are the non-negotiables:
 
1. Lock Down Identity (Your Biggest Risk Surface)
Most attacks don’t “hack systems” — they log in.
Minimum actions:

• Enable Multi-Factor Authentication (MFA) on email, banking, and key systems
• Use a password manager (no shared or reused passwords)
• Remove old users and unused accounts

👉 If you do only one thing — do this.
 
2. Protect Your Email (Your Front Door)
Email is still the #1 attack vector.
Minimum actions:

• Turn on spam/phishing filtering
• Train staff to spot suspicious emails
• Implement a simple “pause and verify” culture

Because one click is all it takes.
 
3. Backups That Actually Work
Ransomware doesn’t care about your budget.
Minimum actions:

• Automatic daily backups
• Store copies offline or in a separate environment
• Test recovery (most businesses don’t)

If you can’t restore, you don’t have a backup.
 
4. Basic Device & Software Hygiene
You don’t need expensive tools — just discipline.
Minimum actions:

• Turn on automatic updates
• Use standard antivirus / endpoint protection
• Remove unsupported or unused software

Most breaches exploit known, unpatched vulnerabilities.
 
5. Know Your Data (Especially with AI)
If you don’t know where your data is — you can’t protect it.
Minimum actions:

• Identify your most sensitive data (customer, financial, staff)
• Limit who can access it
• Never upload sensitive data into AI tools without controls

Why? Because AI tools may store, process, or even reuse that data — creating real privacy and security risks (Cyber Security Australia).
 
6. Set Simple AI Rules (This Is Now Essential)
AI is already inside your business — whether you like it or not.
Minimum actions:

• Define what staff can and cannot input into AI tools
• Require human verification of AI outputs
• Approve a small set of trusted tools

AI introduces risks like:

• Data leakage
• Manipulated outputs (prompt injection)
• False information (“hallucinations”) (Cyber Security Australia)

Without guardrails, your biggest risk isn’t hackers — it’s your own people using AI incorrectly.
 
7. Train Your People (Your First Line of Defence)
Technology alone won’t save you.
Minimum actions:

• Short, regular awareness sessions (not annual tick-box training)
• Teach:
  • Phishing awareness
  • Safe AI usage
  • Reporting suspicious activity

Because cybersecurity is no longer an IT problem --
It’s a human behaviour problem.
 
8. Have a Simple “What If” Plan
Most small businesses don’t.
Minimum actions:

• Who do we call if something goes wrong?
• Can we still operate if systems go down?
• How do we communicate with customers?

Yet many businesses still don’t regularly test incident response plans, leaving them exposed to downtime and losses (IT Pro).
 
What This Looks Like in Reality
This isn’t about building a “perfect” cybersecurity programme.
It’s about:

• Reducing your biggest risks
• Covering your most likely attack paths
• Building resilience without breaking the bank

Done right, these basics will eliminate the majority of common attacks.
 
Final Thought: Cybersecurity Is Now a Leadership Issue
Cybersecurity used to be technical.
AI has made it strategic, cultural, and human.
You don’t need more tools.
You need:

• Clear priorities
• Simple controls
• Engaged people

Because in today’s environment, the question isn’t:
“Will something happen?”
It’s: “How prepared will you be when it does?”
​

​Artificial Intelligence is moving at a relentless pace.
New tools. New platforms. New capabilities—appearing daily.
For organisations, the pressure is clear: adopt AI or risk falling behind.
But in the rush to embrace AI, many organisations are making a critical mistake.
They are confusing governance with documentation.
Because AI safety is not achieved by copying a policy template or publishing a procedure on the intranet.
It is achieved through effective, lived governance.
 
The Illusion of “Being Covered”
When AI enters the conversation, a common response from leadership is:
“We need an AI policy.”
And so, a document is created.
Or worse—downloaded, lightly edited, and distributed.
On paper, it looks like progress.
In reality, very little has changed.

• Staff still use unapproved tools
• Sensitive data is still being shared
• Decisions are still being made without oversight
• Leadership still lacks visibility

A policy alone does not change behaviour.
And in the context of AI, behaviour is where the real risk sits.
 
Governance Is Not a Document—It’s a System
Effective AI governance goes far beyond written rules.
It is the combination of:

• Clear accountability (who owns AI risk?)
• Practical guardrails (what is acceptable use?)
• Visibility (where and how is AI being used?)
• Ongoing oversight (how is risk monitored and managed?)

Most importantly, governance must be embedded into how the organisation operates daily—not sitting on a shelf.
If your governance doesn’t influence decisions in real time, it isn’t governance.
 
Start with Reality, Not Assumptions
Many organisations attempt to govern AI before they understand how it is actually being used.
The truth?
AI adoption is already happening—often informally.
Employees are:

• Uploading documents into AI tools
• Automating workflows without approval
• Using AI to make or influence decisions

This “shadow AI” creates a dangerous gap between perceived control and actual risk.
Good governance starts by acknowledging reality, not ignoring it.
 
Define Guardrails That People Can Actually Follow
Overly complex governance frameworks fail for one simple reason:
People don’t follow what they don’t understand.
Effective AI governance should be:

• Simple enough to guide everyday decisions
• Practical enough to apply under time pressure
• Relevant to real roles and workflows

For example:

• What data is strictly off-limits?
• Which tools are approved—and why?
• When must a human validate AI output?

Clarity reduces risk. Complexity increases it.
 
Protect Data Through Behaviour, Not Just Controls
Technology controls matter—but they are only part of the equation.
AI risk often emerges from small, human decisions:

• Copying and pasting sensitive information
• Trusting AI outputs without validation
• Using convenient tools instead of approved ones

This is why governance must connect directly to how people think and act.
A simple principle often outperforms complex controls:
“If this data left the organisation, what would the impact be?”
When employees can answer that question, they make better choices.
 
Leadership Accountability Is Non-Negotiable
AI governance cannot be delegated entirely to IT.
It is a leadership responsibility.
Because the risks are not just technical—they are:

• Reputational
• Legal
• Operational
• Cultural

Strong governance requires:

• Clear ownership at an executive level
• Regular review and challenge
• Alignment with business strategy and risk appetite

If leadership is not actively engaged, governance becomes a checkbox exercise.
 
Build a Culture That Supports Safe AI Use
Policies don’t shape culture. Behaviour does.
If employees feel:

• Pressured to be faster
• Rewarded for shortcuts
• Unsure about what’s acceptable

They will take risks—often unintentionally.
Effective governance creates an environment where:

• People feel confident using AI safely
• Asking questions is encouraged
• Accountability is shared, not feared

This is where human-centric security becomes critical.
Because AI safety is not just about controlling systems—it’s about enabling people to make better decisions.
 
Governance That Enables, Not Restricts
There’s a common fear that governance slows innovation.
In reality, poor governance does.
When organisations lack clarity:

• Teams hesitate
• Risk increases
• Trust erodes

But when governance is clear and embedded:

• Adoption accelerates
• Decisions improve
• Innovation becomes safer and more sustainable

Good governance doesn’t block AI.
It unlocks it—safely.
 
Final Thought
AI is not waiting for organisations to catch up.
It is already embedded in how work gets done.
The question is no longer:
“Do we have an AI policy?”
The real question is:
“Do we have governance that actually works?”
Because in the age of AI, safety will not come from what is written.
It will come from what is understood, applied, and lived—every day, across the organisation.

With ongoing conflict in the Middle East, and the prolonged war in Ukraine, the global environment is no longer just uncertain—it’s persistently volatile.
Layer on top of that a tightening fuel supply and rising energy costs, and the implications for business become immediate and unavoidable.
This isn’t just geopolitics anymore.
This is operational risk.
This is business continuity.
This is leadership.
And yet, many organisations are still operating as if disruption is an exception—not the norm.
So, let’s ask the uncomfortable—but necessary—questions:
1. When did you last review or update your Business Continuity Plan (BCP)?
For many organisations, the BCP sits untouched—created during COVID, filed away, and assumed to be “good enough.”
But today’s risks are different:

• Multi-region disruption
• Energy shortages
• Simultaneous cyber and physical threats

A static plan in a dynamic world is a liability.
If your BCP hasn’t evolved with the current global landscape, it’s already outdated.
 
2. When did you last review your cyber posture—including your tech stack?
Periods of geopolitical tension consistently correlate with increased cyber activity.
Not just sophisticated nation-state attacks—but opportunistic ones targeting:

• Small and medium businesses
• Under-protected systems
• Human vulnerabilities

The question isn’t whether you have cybersecurity tools.
It’s whether they are:

• Fit for purpose
• Properly integrated
• Understood by your people

Because complexity without usability creates risk—not protection.
3. Are you prepared for another sudden shift to remote work?
Fuel disruption doesn’t just affect logistics—it affects people.

• Commuting becomes difficult or expensive
• Offices become less viable
• Remote work becomes necessary again—quickly

But with that shift comes risk:

• Unsecured home networks
• Shadow IT and unsanctioned tools
• Increased phishing and social engineering

We’ve been here before.
The real question is:
Did we learn enough the first time?
4. When did you last run a tabletop exercise?
Plans don’t fail on paper.
They fail in execution.
A tabletop exercise reveals:

• Gaps in decision-making
• Confusion in roles and responsibilities
• Weaknesses in communication

Without testing your response in a safe environment, you’re relying on theory in a real-world crisis.
And theory rarely survives first contact.
5. How confident are you in your supply chain?
Global conflict and fuel instability create a perfect storm:

• Delayed shipments
• Increased costs
• Supplier disruption

But the deeper risk often sits beneath the surface:

• Third-party cyber vulnerabilities
• Lack of visibility beyond Tier 1 suppliers
• Over-reliance on single regions or vendors

Supply chain resilience is no longer just about logistics.
It’s about trust, transparency, and contingency.
The Common Thread: Preparedness vs Assumption
What links all of these questions is a single issue:
Assumption.

• “Our plan is probably still fine.”
• “Our systems should hold up.”
• “Our people will adapt.”

But in today’s environment, assumption is risk.
A Leadership Imperative
This moment doesn’t call for panic.
It calls for proactive leadership.

• Revisit your BCP
• Reassess your cyber posture
• Re-engage your people
• Re-test your response capability

And most importantly:
Shift from a technology-first mindset to a human-centric one.
Because in every disruption—whether driven by conflict, fuel shortages, or cyber threats--
it is people who make the difference between failure and resilience.
Final Thought
The world isn’t becoming more stable anytime soon.
The question is no longer:
“Could this impact us?”
It’s:
“Are we ready when it does?”