A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the eighth in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
Most of my posts have been about various tech security controls, which can be complex and overwhelming, but the strongest (or weakest) line of defence often isn’t hidden in the settings of an admin console, it’s your people. Your people's ability (or inability) to spot the abnormal (or the absence of the normal), will often be the make or break difference between a breach and a lucky escape.
We all want to trust our staff. After all, we've given them access to sensitive data, systems, and even the controls of your business’s reputation. But there lies the challenge – this very trust is exactly what attackers hope to exploit.
With the move to the cloud it has become increasingly straightforward to secure the digital estate of your business, as such more and more attacks are based on trying to trick people into opening the door for the threat actor. Attackers will use automated tools to analyse the web domain records of an organisation and the social media profiles of the staff. In no time at all they have a good idea of the email addresses of staff and the types of tools they are using, so can use AI to generate pretty convincing phishing emails to trick staff. They can even automate bespoke attacks on new starters, who may not yet be familiar with organisational norms.
This is particularly pertinent for investment firms and their portfolio companies. When high value deals are signed press releases are often sent out by all the parties to the transaction, often making it even clearer who staff are likely to be dealing with, making impersonation all the easier.
The goal of the phishing attack is often to trick a staff member into clicking a link so that their credentials can be captured and the attacker can setup their own MFA and maintain persistent access. They can then analyse the email and messaging history of that legitimate digital identity before using it as a launch pad for further attacks.
There is good news though; not all solutions are technically complex to implement. Regular, relevant staff training is one of the best investments you can make in your organisation’s cyber resilience. Training isn’t about turning every employee into an IT expert; it’s about giving them the confidence and skills to spot the red flags, question the unusual, and know exactly what to do if something feels off.
Effective training programmes don’t just tick boxes; they foster a culture of vigilance and encourage paranoia and caution. They teach your staff to recognise phishing attempts, understand the basics of password hygiene, and appreciate why their actions matter. Employees become active participants in your security posture – not passive risks.
Training programmes need to be engaging, ongoing, and tailored to your business’s context. Most importantly, staff should feel comfortable reporting suspicious activity without fear of blame – because early reporting can make the difference between a near miss and a damaging breach.
Remind your staff: it's not a failing to question a request, to double-check with a colleague, or to be a little bit suspicious. In fact, it’s one of the best habits to cultivate in the digital age.
The cyber threat landscape will keep shifting, but one thing remains constant: your staff are key gatekeepers to your business. Equip them well, invest in their awareness, and they’ll be your most reliable cybersecurity asset. So, next time you review your security budget, remember: the most sophisticated technology in the world won’t always protect you if your people aren’t prepared. Let’s make sure our first line of defence is also our best-trained.
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇