Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

The myth of the impenetrable cyber defence

The recent WikiLeaks revelations from stolen CIA records, the NSA leaks orchestrated by Edward Snowden and the audacious Stuxnet operation all highlight that technology is only one facet of cyber vulnerability. Indeed, technology alone is not the answer to cyber security. The human element remains key.

Organisations best positioned to defend against cyber threats are those that successfully blend technical and social security measures. This socio-technical approach requires focusing on both organisational processes and staff, empowering employees through knowledge and experience and supporting them with appropriate technical systems. Getting this right is a difficult undertaking. However, once technical and personnel security controls are synchronised, organisations will be equipped to maximise the benefits of operating in cyberspace whilst ensuring they are able to respond effectively when a cyber incident occurs.

As the leader of an organisation, large or small, what must you do to prepare? Allow me to offer the following suggestions: 

  • Acknowledge the nature of the threat – The culture of an organisation is driven by its leadership. Leaders need to understand where and how data is used in their organisation, why it’s important and whose responsibility it is to safeguard the data (along with the systems and the applications). Understanding at the senior level is imperative to move cyber security from being seen as a technical problem to an organisational one. Too often, leaders believe cyber is just an IT problem; this is wrong. 

  • Develop detailed knowledge – Leaders must help all of the people in their organisation understand the threats. No single person is immune. Anyone on a system or network could be a threat regardless of their rank or role. Every user should know how the organisation’s own ‘business’ (eg the type of work it does, who its customers are, etc.) influences the threats they face and recognise the potential impacts of the actions they take. Equally, it’s vital to understand your own network; what constitutes normal activity is hard to define, let alone in real-time. Protective monitoring is an essential part of cyber security. 

  • Be realistic – No network or system is infallible and every organisation has a certain level of data dependence. Equally, no amount of safeguarding can protect all systems to the same level all of the time. Therefore, it’s imperative to prepare for the worst.  Reducing the inherent ‘attacker’s advantage’ by seeing things through their eyes and assessing vulnerabilities like they do, gives organisations a better chance of plugging gaps before they are exploited. The most successful breaches, as highlighted above, are not exclusively technical in nature: attackers tend to have a singular focus with a clear end result in mind and don’t care what or who they use to get there.  
Defending the UK from cyber attacks

UK Government: We are helping to protect the UK in cyberspace and deliver economic growth

Find out how

  • Practice your incident responses – Weekly fire alarm tests are a normal occurrence in the workplace. Yet practicing for a cyber event that could severely impact the organisation is rarely, if ever, done. No matter how good your protection, a breach could occur at any time. How well the organisation responds and recovers will determine the ultimate impact. Preparations must be made for a successful breach at any time and worst case scenarios need to be tested. For instance, knowing who to contact in the event of an incident is as vital as knowing to dial 999 for a medical emergency. 

  • Execute your response – Every situation will be different and slavish adherence to plans will lead to failure. However, an organisation whose leadership has taken the effort to plan and prepare will respond much more effectively and efficiently. Key here is how you communicate with stakeholders. 

How well is your organisation positioned? Can you answer the following four basic questions? 

  1. Do you know where and why you use digital data?
  2. Do you understand how and why your organisation is dependent on digital data?
  3. How are you protecting your organisation’s data?
  4. What happens if your organisation’s data is compromised? 

An honest appraisal using these questions as a starting point will help you plan for the day when the virtual fire alarm sounds but is not a drill. 

Cyber security is an arms race. Organisations must constantly be on guard and adapt as the threat evolves. A network will have multiple vulnerabilities but it also has multiple strengths in its users. Key to successful defence and response is acknowledging that a winning cyber security strategy extends beyond just the technical to include the human element. Understand that, and you’ll already be ahead of the curve.   


Contact the authors

Contact the defence and security team


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.