Most cyber security breaches do not begin with technical failure. They begin with trust, pressure and perfectly ordinary behaviour inside otherwise well-run organisations.
There is a (false) comforting myth in cyber security that danger comes from outside. From distant networks. Anonymous actors. Somewhere else.
That myth allows leaders to believe risk can be solved with software, audits and dashboards.
In reality, most breaches begin much closer to home. They start with a familiar name, an internal-looking email and a decision made quickly by someone trying to do the right thing. Nothing crashes. Nothing ‘breaks’. Someone complies.
Most breaches do not break in. They are let in
This is not a staff problem. It is a leadership one.
Organisations are built on trust, speed and hierarchy. Those qualities make businesses effective. They also make them vulnerable.
Modern phishing emails mirror internal tone. Requests appear to come from finance or the CEO. Add urgency – a deadline, a confidential deal, a regulatory issue – and hesitation disappears. The attack succeeds not because defences failed, but because pressure worked.
Cyber security risk lives where pressure lives.
1. Train judgement, not awareness
Many organisations run annual cyber security training. Few change behaviour.
Tick-box training creates familiarity, not instinct. What staff need is rehearsal – ambiguous scenarios, real-world simulations, permission to pause.
Cyber security training that does not alter behaviour is theatre. Leaders should measure judgement, not completion rates.
2. Make it safe to question authority
Hierarchy can be efficient because it can speed decisions. It is also exploitable because it discourages hesitation.
A significant number of successful attacks rely on impersonating senior leadership. In cultures where questioning authority feels uncomfortable, people comply rather than verify.
Leaders must say – explicitly and repeatedly – that it is acceptable to challenge unusual requests, even when they appear to come from the top. The more hierarchical the culture, the easier it is to hack.
3. Access should be deliberate
People in organisations accumulate access over time. Shared inboxes. Legacy systems. Temporary permissions granted for a project and never removed.
These are rarely technical failures. They are governance habits.
The principle is simple: staff should have access only to what they need to do their job – and only for as long as they need it.
Excess access does not feel dangerous day-to-day. It feels convenient. But every unnecessary permission is a doorway that does not need to exist. Access should expire by default. Roles should be reviewed when people move. Privilege should be deliberate, not inherited.
Security professionals call this ‘least privilege’. Leaders should call it discipline.
In cyber security, convenience compounds risk.
4. Treat mistakes as early warnings
In many organisations, the greatest risk is not the mistake itself. It is the delay that follows.
When people fear blame, they hesitate. They try to fix issues quietly. They wait to see if the problem resolves itself. By the time it reaches leadership, the window for containment has narrowed. That delay is cultural.
Resilient organisations remove the fear from early reporting. They make it clear that raising a concern quickly is a professional obligation, not an admission of failure.
Staff should not feel that near misses are embarrassments. They are intelligence.
The first sign of a cyber security incident should not be legal advice. It should be early disclosure.
If staff feel safer speaking up than staying silent, incidents shrink. If they fear consequences, incidents grow.
5. Rehearse the leadership response
Breaches are decision-making crises, not IT tickets.
Who shuts systems down? Who informs regulators? Who speaks to clients? Confusion and delay often cost more than downtime.
Many organisations test fire alarms and financial resilience. Few test executive response to a live cyber security scenario.
That gap is cultural, not technical.
Where security truly begins
Cyber security fails from the inside because that is where trust, urgency and hierarchy intersect.
The more hierarchical the culture, the easier it is to hack
Software matters. Controls matter. But culture matters more.
The strongest defence is clarity, permission to pause and leadership that understands how real decisions are made under pressure.
In the end, cyber security resilience is less about systems – and more about whether your culture allows someone to say, “This feels wrong.”
