For Cyber Awareness Month, I would like to briefly discuss two important areas that are critical to the success of any cybersecurity program. Area #1: Get the basics right. We hear it all the time: Cyber threat actors are becoming more sophisticated, more targeted and more advanced. Yet 80% of breaches can be avoided if basic security hygiene is treated as a priority. I see many companies struggle with the basics, for example, a lack of MFA to protect logins, poor privilege access controls, or a lack of skills and training, just to mention a few. Companies must implement the basic security measures before considering huge investments in complex tools and technology. Next time you review your security strategy, take time to identify how effectively you have implemented the foundational security controls. Some good examples of basic security foundations are as follows: Identify high value assets and data Regular penetration testing Patch management Vulnerability management Training and awareness Multi-factor authentication Area #2: Focus on people and cybersecurity awareness. There is a saying in business that ‘culture eats strategy for breakfast’ and I absolutely believe this statement holds true for cybersecurity. Now more than ever, the importance of driving a strong security culture from board level downwards cannot be stated enough. In my experience, most global cyberattacks boil down to a lack of awareness culture or human error. My advice? Take the time to establish a robust cybersecurity training program and remember that different job functions require different levels of training. For example, C-level stakeholders will require a different level of security training compared to a software engineering team. The training content needs to be relevant to the job role. Approximately 80% of the biggest cyber-attacks could have been avoided if the basics were in place. Developing a strong security culture doesn’t happen overnight. Also remember that developing a strong security culture doesn’t happen overnight. It is a continuous exercise that requires focus, investment, and commitment. If we dig deeper on the topic of people and culture, we see that areas of human psychology and behaviour also play a major role in creating a cyber-resilient culture. According to the cognitive bias – the Dunning Kruger effect (see my diagram below), people with limited knowledge in a given intellectual or social domain greatly overestimate their own knowledge or competence in that domain. In short, we think we are much better at certain things than we really are! Now let’s apply this theory to the world of cybersecurity, where many individuals feel they will not be scammed by a phishing email. But once they do get scammed, they realise how little they know. Over time, we adapt, evolve and come out stronger with the knowledge that we will be better prepared next time. Effective cyber security training is key. But changing mindsets and culture is vital to avoid complacency and recognizing the true nature of security threats.