How to lower your organisation's risk of being hacked

Executive overview

Data breaches are routine. The question is whether your personal habits and organisational processes reduce the blast radius when they happen.

Most defences fail not because users are careless but because policies, configurations, and response plans are never stress-tested before a crisis hits.

Weak processes — not weak users — are the real attack surface.

Personal security fundamentals

• Enable multi-factor authentication (MFA) first — it stops attackers even when they already have your password.
• Use passphrases over passwords: four to six random words is exponentially harder to crack than an eight-character string.
• Use a password manager to generate a unique password per site; your phone's built-in manager is fine.
• Never reuse passwords — breaches at one site (LinkedIn, Adobe, MyFitnessPal) hand attackers credentials that work elsewhere.
• Freeze your credit at Equifax, TransUnion, and Experian — it's free, instant to lift when needed, and blocks new accounts being opened in your name.
• Go directly to the credit agency websites; never pay a third party to do this for you.

What attackers actually do

• Ethical hackers begin by harvesting employee names from LinkedIn, then cross-reference data brokers for home addresses, phone numbers, email history, and passwords from old breaches.
• Public social media reveals badge designs, dress codes, and office layouts useful for physical entry.
• C-suite accounts are targeted first: executive inboxes hold financial data, employee records, and information that can damage reputation if leaked.
• Shared or default passwords (e.g., company name + "123") are guessed in seconds; executives with unchecked authority often have the worst hygiene.
• All of this data is free or near-free — breaches from 2008 still yield working credentials today.

Organisational response planning

• Run incident response tabletop exercises at least annually; quarterly is better.
• Participants should include C-suite, IT, HR, legal, public relations, and marketing — not just technical staff.
• A hospital exercise revealed that shutting down the network to contain ransomware would simultaneously unlock every door and disable every camera — a gap no one had noticed.
• Know in advance: which regulatory bodies must be notified, within what timeframe, and do you have a direct FBI contact or only a generic number?
• CISA (cisa.gov) publishes free tabletop exercise slide decks — a viable starting point for organisations that have never run one.
• Review cyber risk insurance terms before an incident; insurers increasingly check whether basic protections were in place before paying out.

Backups and recovery

• Define your recovery time objective (how quickly you can restore) and recovery point objective (how far back you can go) before an incident, not during one.
• Ransomware actors actively target and delete backups to force payment — paying does not guarantee recovery and signals that you will pay again.
• Keep backup copies off-site or in a separate cloud region; a backup server sitting in a break room is not a backup strategy.
• Cloud options (OneDrive, SharePoint, AWS) provide geographic separation without large capital cost.

AI and organisational policy

• Employees are already using AI tools whether a policy exists or not — assuming otherwise leads to data being pasted into consumer tools on personal devices.
• Samsung engineers uploaded proprietary source code to ChatGPT before an enterprise policy existed; the risk is real.
• Work with cybersecurity and policy teams to build an explicit AI-use policy that enables approved tools rather than just prohibiting unapproved ones.
• Enterprise versions of ChatGPT and Microsoft Copilot allow organisations to apply their own data-governance rules.

Rethinking the weakest-link assumption

• The security industry has long blamed users for breaches — clicking phishing links, reusing passwords.
• The more accurate diagnosis: default system configurations are rarely hardened before deployment, awareness training is too boring to change behaviour, and IT teams are not sent to security conferences.
• Cameras and printers deployed with default passwords, legacy software running for 10–15 years, and rote annual click-through training are organisational failures, not user failures.
• Improving security culture and making training engaging will outperform blaming individuals.