Get the latest cyber news and updates straight to your inbox.
Your organisation’s greatest security risk isn’t a shadowy hacker in a hoodie – it’s the well-meaning employee who shares passwords to meet a project deadline, uses Dropbox because the approved file-sharing system is too slow, or clicks on a phishing email from what appears to be a trusted colleague. This uncomfortable reality emerged as the central theme in our recent webinar, "Hiding in Plain Sight: The Cyber Risks Built Into Your Daily Operations," where I joined fellow cybersecurity experts Petra Vincent and Matthew Wylie to dissect how everyday business practices create the vulnerabilities that attackers exploit most successfully.
“Human risk is usually not from bad actors,” explained digital strategist Petra Vincent during the discussion. “It usually comes from when someone’s trying to find an easier route, when teams are incentivised to move really fast without any guardrails, and then they start to bypass controls.”
The scenarios are painfully familiar:
As I pointed out during our discussion, this creates a dangerous disconnect: “You can sometimes end up with this big disparity between what the leadership team think is happening and what’s actually happening on the ground.”
The webinar panel unanimously agreed that annual security training (the checkbox exercise most organisations rely on) simply doesn’t work. Instead, they advocated for frequent, bite-sized training that creates real accountability.
Vincent shared an effective approach from her previous firm: “We would do phishing tasks at least once a week, randomised across the firm. After something happened three times, then you would have to take some form of training. We had things where if you didn’t take this training, your email would get shut down by the end of the day.”
The key is making security part of the organisational culture rather than an annual obligation. When employees understand the real-world consequences of their actions and feel safe reporting mistakes, organisations can close security gaps before they become breaches.
Our free cyber risk tool shows you what attackers can see about your organisation
Phishing attacks have evolved far beyond the poorly-written email scams of the past. Modern attackers use AI to craft sophisticated, personalised attacks across multiple channels:
Matthew Wylie, who provides Virtual CISO services for FoxTech clients, shared a recent example of how these sophisticated attacks succeed: “The reason it was successful was because one of their contacts had been compromised. The email came from a trusted source, someone they dealt with day to day. They didn’t know that their account was compromised.”
Even with good training, click-through rates on phishing simulations typically run 4-5%. In an organisation of 500 people, that means 20-25 employees will likely click on any given phishing email that gets through filters.
Multi-factor authentication (MFA) is essential, but not all MFA methods provide equal protection against bypass techniques. Simple MFA methods like SMS codes or emailed passcodes can still be harvested by sophisticated phishing kits that immediately use captured credentials.
The webinar emphasised investing in phishing-resistant MFA – hardware tokens, passkeys, or Windows Hello for Business – particularly for privileged accounts. As I explained during the discussion: “These are tightly coupled to the URL on which you log in. Even if you went to a malicious site, your hardware encryption key would not release the required credential to the phishing site because it’s on a different URL.”
For organisations concerned about cost, hardware tokens can be as inexpensive as £5 per user – a minimal investment compared to the potential cost of a breach.
The rapid adoption of AI tools has created a new category of risk: shadow AI. Employees frustrated by organisational restrictions on AI tools often resort to copying sensitive information into personal ChatGPT accounts or other unauthorised platforms.
“We saw when AI first came out, some companies just immediately put the doors down and said no, you cannot use it,” noted Wylie. “There wasn’t really an acknowledgement that these tools are really useful, but you need to understand the risks they bring.”
The solution isn’t blanket prohibition but providing approved AI tools with proper data controls, such as Microsoft Copilot configured to use only organisational data, combined with technical controls like data loss prevention software to monitor for sensitive information leaving the organisation.
You can listen to the complete 60-minute discussion, including detailed technical recommendations and Q&A with the expert panel.
Understanding the attack progression helps organisations prepare better defences. After successful credential theft, attackers typically:
This process can take months, during which the attacker quietly explores the environment. Organisations relying on standard Microsoft 365 logs (which retain data for only 30 days) often cannot investigate the full scope of a breach once discovered.
The webinar panel offered three immediate actions every organisation should implement:
Additional recommendations include abandoning forced 90-day password changes in favour of unique passwords per site, implementing phishing-resistant MFA for critical accounts, and establishing security working groups where employees can safely report concerns.
One practical tool mentioned during the webinar is FoxTech’s free Cyber Risk service, which uses open-source intelligence to show organizations what attackers can see about their external digital footprint. Having analysed over 20,000 organisations, this service provides a benchmark for where your organisation stands relative to others in terms of external vulnerabilities.
Get in touch to find out more about our comprehensive security services
Cybersecurity is fundamentally a human problem that requires cultural solutions alongside technical controls. Even the most sophisticated firewall cannot protect against an employee who clicks a convincing phishing email or uploads sensitive data to an unauthorised AI tool.
Organisations that acknowledge this reality and work to align security policies with how people actually work – rather than how they wish people would work – create more resilient defences against the threats that matter most.
As cyber attacks continue to evolve in an increasingly digital world, businesses are under pressure to protect sensitive data and comply with a variety of complex regulations. With this in mind, cyber security compliance plays
What Do Advanced Cyber Attacks Look Like? Cybersecurity is an ever-evolving battlefield, with state-sponsored attacks becoming increasingly sophisticated. The Australian Cyber Security Centre in conjunction with it’s allies in the UK, New Zealand and USA
We live in the digital age and with this surge in technological advancement, organisations are facing ever growing cyber threats. The complexity and rise of these threats require robust strategies and mechanisms to monitor, detect
