In my last post on cybersecurity, I explored the two primary objectives of cyber hackers: information theft and the extortion of money. What is interesting about both of these goals is that they start in similar ways. Bad actors either find a vulnerable technology via an external technology scan that they use to penetrate a company’s network, or they leverage human-centric tactics, such as phishing, to open the front door.
What is surprising to many executives is that, while cyber risk is often thought of more in terms of technology vulnerabilities, it is often the human dimension that leads to breaches. And the individuals most often at fault, partially because they’re also the most targeted, are the c-suite executives themselves.
To reduce the risk of security incidents, CEOs should first ensure their businesses are both prescribing, and, more importantly, adopting basic cybersecurity hygiene:
- Multi-factor authentication (MFA)
- Ongoing phishing training
- Strict adherence to patching
These three things, which are both simple and inexpensive, are far and away the most important actions companies can take to protect themselves. Regrettably, because some of them (e.g. multi-factor authentication) can sometimes be viewed as a nuisance to time-strapped employees, these are often deterrents that suffer from partial adoption.
Fortunately, the tools available to drive these security deterrents have continued to improve, making them less onerous to both administer and use. As an example, a number of phishing training businesses have emerged that can automatically increase the level of sophistication of simulated attacks each month to progressively raise the level of maturity within organizations.
Beyond basic hygiene, there are a deeper set of practices and tools firms should implement, including:
- Annual pen tests
- Monitoring tools to scan systems for breaches
- Table-top exercises to prepare for incident response
- External vulnerability scans to identify at-risk technology
From a staffing perspective, the model I have seen work best, through my personal advisory work with large organizations, is to have a named, dedicated CSO (Chief Security Officer) who leverages a combination of in-house and third-party resources and service providers. This combination enables companies to benefit from the expertise of specialists while keeping a healthy degree of ownership inside the business, something I view as critically important.
Even with the right staffing model and tools, however, it’s worth reiterating that people, not technology, are often at the heart of breaches. And the common denominator of many of the incidents we’ve supported clients on has been cultural – firms either failed to take risks seriously or acted as if cybersecurity was solely the responsibility of IT instead of fully integrating the topic within the business.
Looking to the future, it is helpful to remember that culture is shaped by executive action. For this reason, it is vital for cybersecurity to be included in both the dialogue and actions of C-level executives, providing a natural way for employees to understand that security is a company priority.
Click here to read part III of this series.

Andrew Duncan
Partner & UK Country Head
Andrew is a life-long consultant with a very successful and diverse background, having served in MD or CEO roles for several technology and services companies. Andrew has over 25 years of technology leadership experience at an executive level, with a strong client background in the consumer, financial and professional services sectors. He’s lived and worked in Europe and North America and has built high-performing teams that have consistently achieved double-digit revenue growth. Andrew possesses a proven track record in the delivery of large-scale operations and technology transformation agendas across the B2C and B2B space. Andrew has also participated in numerous speaking roles over his career, most recently for Private Equity International, as well as the Business Forum at the Commonwealth Heads of Government Meeting.