Identification: SL2201
Identification: SL2202
Identification: SL2203
Identification: SL2204
Identification: SL2206
Identification: SL2205
Identification: SL2208
Identification: SL2207
People make mistakes. We can train them, we can write policies and procedures, we can run phishing tests, … and we still won’t have wiped out all the person-induced cyber risk from our organisations, because eventually someone will do something they shouldn’t.
So how should we act when this happens? Accept that we can’t stop all attacks all the time, and brush it off as “one of those things”? Go zero-tolerance on cyber error and call it gross misconduct by default? Can we, for that matter, even have a set policy on how we deal with someone doing something wrong?