What a year 2025 has been: Rich in both cyber events and innovations alike. On the latter, not a week has passed without a mention of innovation in Artificial Intelligence (AI). I am excited about the innovative ways AI is going to be used to benefit our society; perhaps this is the 4th Industrial Revolution coming. The level of useful innovation in cyber security, despite some questionable claims by certain vendors, will increase in 2026 with new products and services.
To gain sufficient value from these innovations, however, we need to implement the basic controls well first. Whether we measure this against UK Cyber Essentials or CIS Critical Cyber Controls, the reality remains the same: cyber incidents are still mostly “enabled” by organisations neglecting these basics.
This reinforces my belief that the following first principle still stands:
In cyber security, basics matter.
The following is my personal list of five postulates in cyber security:
Know your business assets
We all know the phrase “One cannot protect what one does not know about”. The real issue is not “finding assets” but structural mis-governance enabled by unenforced processes, no authoritative inventory, and a culture that tolerates shadow IT.
CIOs know that asset management related to business technology is not an easy task to get right. IT and cyber vendors led us to believe that we just need to buy their platform and all problems will magically go away. Not in the slightest.
What many organisations should implement is a federated model where each team maintains its own configuration inventory, automatically maintained by system management tooling that allows for integrations and exports to a business-wide configuration management database (CMDB) platform. This ensures that the asset data is fresh and correct yet not invisible to CIOs. Crucially, only with this authoritative list can we effectively overlay vulnerability data and detect security misconfigurations across the entire estate.
Make your business visibly secure
In police training, they teach officers to spot burglar-inviting properties; this is also useful when scouting offices for physical intrusion exercises. The tell-tale signs comprise low fences, unlocked windows, weak door locks, no CCTV cameras, and a clear view into the property with high-value items visible.
The same applies to digital security: DNS settings that were sufficient 20 years ago, expired web server certificates, email servers not supporting transport encryption, insecure website cookies, and the list goes on.
When I deliver security advisories to organisations, the first test for me is external digital “drive-by reconnaissance”. From my experience, only about 1% of companies truly understand the importance of a secure perimeter and can correctly implement it.
Such weaknesses invite opportunistic cyber criminals to attack. No one wants to be an easy target, but many don’t know how to get off the ‘Easy Target’ list criminals maintain.
The external posture should be one of the metrics that IT/security reports to management. An example:
“All our external systems are configured to the ”State of the Art“ standards. We do not stand out as an easy target, and if we are targeted, this gives us a good first line of defence.”
Make the least privilege principle non-negotiable
Every year I read the annual Microsoft Digital Defense Report. The report is full of useful information for cyber defenders and business executives alike.
The report highlights the need to control privileged access to resources. If a person, computer, or computer code does not need higher privileges to perform its operations, then those privileges should be taken away. This seems like a logical conclusion. Yet, in assessments I have performed, organisations allow end-users to have local admin privileges on their computers (whether Windows or Mac). Similarly, IT personnel assign admin privileges for internal and cloud resources to their standard accounts. These mistakes cost companies dearly when attackers exploit these accounts, granting the attackers “keys to the kingdom”.
The remedy is simple, yet too hard for many to implement.
Test your incident response plans
The shout of “Fire, fire, fire” triggers an organised evacuation of buildings. The training exercises that organisations are legally required to perform greatly reduce the likelihood of loss of life.
Business leaders should consider similar exercises for IT and cyber attacks. Businesses that are obliged to implement strict regulations such as DORA or NIS2 are well aware of these requirements. That leaves the rest of the organisations to follow suit.
If you are a business executive reading this, run a “tabletop exercise” with an external facilitator in the next 90 days. Simulate a scenario – such as ransomware – to test how the executive team makes decisions under pressure.
Outsource responsibility, not accountability
Outsourcing, when implemented correctly, is a great way to improve quality and manage costs. It is well-known that executives should keep the accountability for the process quality and security operated by the outsourcer. This process starts at the Request for Proposal (RFP) stage where all requirements are collected, and continues during negotiations and the stand-up phase, establishing metrics and key performance indicator (KPI) reporting cycles.
Treat your outsourcing partner as if they were an internal team; they are responsible for delivering the service, but the executive team is accountable for ensuring the service is delivered according to the contract. Please note I am using the widely accepted terminology where ‘Accountability is assigned to exactly one individual who signs off on the work and approves the deliverable.’
