Back to basics: Cyber Hygiene in the Age of AI: Why the Basics Still Matter

Strong cybersecurity starts with the fundamentals, yet these are often the hardest to master. New and emerging technologies, while promising, should complement – not replace – a strong cyber foundation.

Thanks to less centralised working models, access to data spans more devices and locations than ever. These more flexible, distributed working models have introduced new visibility challenges, including a surge in unregulated shadow IT.

This makes it harder for ITDMs to maintain full visibility over which services, servers, and business data are exposed. Research shows that 41% of employees already use unsanctioned tools, and that number is expected to rise to 75% by 2025, further complicating oversight and increasing risk ² .

These visibility gaps are exactly what attackers continue to exploit. While the volume and impact of cyberattacks are increasing, many still succeed by targeting well-known weaknesses such as unpatched systems, weak credentials, and human error.

That’s why it’s worth refocusing on the fundamentals. Addressing a few high-impact areas can significantly reduce risk and strengthen your organisation’s overall security posture. Three priorities stand out:

MFA is one of the simplest and most effective ways to block unauthorised access. Yet many employee and legacy accounts remain active without MFA enabled – often overlooked or unmanaged. Attackers often use techniques like password spraying to exploit these weak points and gain entry. This method, which involves checking if users are reusing passwords across systems, can help hackers identify vulnerable accounts. What may seem like a minor oversight can, in some cases, allow threat actors to gain access to an organisation’s entire corporate system.

Unpatched systems are a common entry point for cyber attackers. Many high-profile breaches occur not through advanced techniques, but through outdated software that hasn’t been updated or secured. Automating updates and maintaining a clear inventory of assets and dependencies is essential to reducing exposure and ensuring consistency across environments.

Human error remains one of the biggest cybersecurity risks, with a recent report finding that 60% of cyber-attacks last year involved a human element, such as clicking phishing links or misdirecting sensitive data. ³ Security awareness training should be continuous, role-specific, and supported by real-time simulations and clear reporting channels. This helps reduce risk and builds a culture of shared responsibility.

Focusing on these fundamentals helps businesses build a stronger foundation for more advanced defences.

To be truly prepared for a cyber-attack, businesses need more than just tools. They need a deep understanding of their environment and a well-rehearsed response plan.

Understanding your data estate is essential for identifying vulnerabilities and enabling fast recovery during an incident. This starts with regular audits that include:

• Taking inventory of all data assets across on-premises, cloud, and hybrid environments
• Classifying data by sensitivity and business impact to prioritise protection and recovery
• Documenting data flows to identify exposure points and dependencies
• Reviewing access controls and permissions to eliminate unnecessary risk
• Validating backup and recovery processes to ensure they align with business continuity goals

It’s not just about the data itself – it’s also about who that data affects. If a breach occurs, which teams, customers or partners will be impacted? Mapping these relationships in advance helps prioritise your response and reduce disruption.

Visibility into access rights is critical. Knowing who has access to what can help detect and contain threats before they escalate. A strong access management strategy, built on multi-factor authentication (MFA) and zero-trust principles, can significantly reduce risk. Centralised logins and integrated physical authentication checks can further strengthen control and accountability.

Even with strong visibility and access controls in place, businesses need to be ready to act. One of the most effective ways to prepare is to run tabletop exercises with your senior leadership and IT teams. These simulations walk teams through a breach scenario, helping to identify gaps, clarify roles, and improve decision-making under pressure.

When an attack happens, the speed and clarity of your response can make all the difference.

AI is quickly becoming a powerful tool in the hands of cybercriminals. Even relatively low-cost models can now generate convincing phishing emails and realistic voiceovers, making scams more believable and harder to detect.

As AI and automation become more accessible, their role in cyberattacks is expected to grow. In fact, 91% of cybersecurity experts anticipate this shift. ⁴ But even as the tools evolve, the same weaknesses are being exploited – and the same defences still work.

Taking a people-first approach remains the best defence against AI threats. ⁵ This includes training employees to recognise deepfakes and AI-generated phishing attempts, making it easy to report suspicious activity, and preparing teams to respond effectively to AI-enabled breaches.

In the event of a security breach, many people report feelings of shame. Businesses also worry about their reputations – fearing the consequences of a data breach negatively impacts their standing amongst partners and customers.

This can inevitably lead to a culture of secrecy, where successful attacks are suffered, and dealt with, in the dark. But silence only benefits one group: the attackers.

Businesses need to foster a culture where transparency is encouraged. Adopting a zero-blame approach where employees are rewarded for reporting issues early without fear of reprisal, helps organisations respond quickly to attacks and significantly improves the effectiveness of awareness programmes. ⁶

This culture of openness shouldn’t stop at internal reporting. When an organisation suffers an attack, sharing what happened and what was learned can help others strengthen their defences and reduce the risk of similar incidents.

Threat actors will find and exploit any vulnerabilities to gain access to an organisation’s systems – from any time, at any level. That’s why establishing the basics of cyber resilience is so important. Acting fast to patch issues can prevent attackers from accessing systems using known weak spots. Educating staff can reduce the likelihood of human error which could introduce malware into business systems. And an up-to-date access management strategy can help to identify suspicious activity before data is lost.

These are not complex security requirements. They are the basics. But in the age of AI and emerging technologies, it is important not to lose sight of the fact that fortifying security basics and ensuring good cyber hygiene can actually protect organisations from the majority of attacks.