Cybersecurity Awareness Month

Every October tends to feel like a reminder that threat actors do not pause, and that organisations probably need to revisit the basics more often than they think. From a data protection standpoint, we keep seeing the same pattern in breach notifications: incidents rarely stem from exotic zero-days. They originate in predictable control failures that ISO 27001 has been attempting to solve for two decades. This year’s theme feels like an invitation to slow down and re-examine those fundamentals.

Human behaviour remains the dominant risk surface

It appears that staff training is still treated as a compliance checkbox rather than a behavioural control. Social engineering campaigns continue to succeed because users are conditioned to move quickly. A mature security culture probably requires more than annual e-learning. It depends on routine micro-interventions, scenario-based exercises, and a willingness to treat mistakes as learning opportunities instead of grounds for blame. From a GDPR perspective, this is also tied to accountability. Organisations should be able to demonstrate not merely that training exists but that it works.

Access governance is drifting again

From an ISO 27001 lens, access control is quietly becoming one of the more neglected domains. Over-privileged accounts accumulate, joiners–movers–leavers processes are inconsistently applied, and periodic access reviews tend to become rushed administrative tasks. When investigating incidents, weak IAM hygiene usually plays some part. Least privilege should not be an aspiration; it functions as a compensating control for almost every other failure. I am increasingly convinced that organisations need automated access workflows and auditable evidence trails if they want to keep regulators satisfied.

Shadow IT is growing through convenience, not malice

In practice, teams are adopting unsanctioned tools because official systems feel slow or cumbersome. From a compliance standpoint, this creates opaque data flows that break Article 30 records, undermine DPIAs, and fragment the organisation’s security perimeter. Hybrid work appears to have accelerated this trend. Addressing it requires a combination of better communication and more usable approved solutions. Policies alone rarely shift behaviour.

Incident response is improving, but not fast enough

Many organisations now have formal IR plans, though I still encounter uncertainty when I ask who owns which decision during a live incident. Regulators expect clarity around detection, escalation, containment, and notification timelines. ISO 27001 treats incident response as a cyclical capability, not a document. That means rehearsals, post-incident reviews, and lessons-learned integration into the ISMS. A plan that sits in a shared drive and gathers dust does not meet that bar.

Data minimisation is the forgotten security control

Security teams often focus on hardening what already exists, but from a GDPR lens, the most effective control is to stop collecting unnecessary personal data in the first place. Reduced data volume decreases breach impact, lowers compliance overhead, and simplifies technical safeguards. I have probably written more DPIA critiques this year pointing at unjustified retention periods than any other issue. Data minimisation sounds abstract until an organisation experiences a breach and realises how much information it never needed to keep.

October as a checkpoint, not a celebration

Cybersecurity Awareness Month should not be treated as a marketing exercise. It works better as a moment to reset expectations and acknowledge that security maturity is not static. Threats evolve, staff change, processes drift. A capable organisation probably embraces this as normal rather than a sign of failure. From both a Data Protection and Cybersecurity perspective, the goal is continuous improvement, not perfection.

If this year has highlighted anything, it is that organisations doing the “boring basics” consistently tend to avoid the headline-worthy incidents. Patch management, access governance, training, secure configuration, data minimisation – these are not glamorous topics. They are, however, the practices that keep businesses resilient when everything else goes wrong.