By Keshni Naidoo

Executive Consultant

keshnin@tpasa.co.za

I recently worked with one of South Africa’s largest organisations to shape cybersecurity awareness. Here is my biggest takeaway: technology can’t fix what behaviour breaks.

October is Cybersecurity Awareness Month, and as usual, there’s plenty of noise about the many digital threats we all face daily.

The quiet truth, however, is that organisations often view cybersecurity through the wrong lens. They focus on firewalls, encryption, and network defence which, while essential, often crowd out what matters most: the person behind the keyboard.

Human error and lapses in judgement are where the real risk lives. Because despite an avalanche of awareness messaging and training initiatives, people still reuse passwords. They delay software updates. They ignore multi-factor prompts. They click on links that look harmless. And – perhaps most alarmingly – they stay silent after mistakes because they fear blame.

My work in this space has taught me this isn't carelessness – it's security fatigue. People are drowning in emails, juggling multiple systems, and having to manage constant change. Often, their brains simply take shortcuts, and cognitive overload wins.

The cost of cyber lapses is staggering: globally, cybercrime is projected to cost organisations US$10.5 trillion by the end of 2025. Even major, well-defended institutions where cybersecurity is a top priority are not immune. Because the best system is only as robust as its weakest link.

When you trace most breaches back to their source, it’s rarely a lack of technology that’s to blame. It’s human behaviour. Behaviour that is, more often than note, driven by fear.

I've seen teams paralysed by the pressure to "get it right." They know the rules, but not the right response once something goes wrong. When organisational culture treats security breaches as grounds for punishment rather than learning, that pressure intensifies. So they hesitate. They hide. They hope someone else will notice first – anything to avoid being the person who 'caused the breach’.

So what should organisations be paying the most attention to? The most cyber-resilient organisations do three things differently:

• They destigmatise vulnerability. Mistakes aren’t moral failings – they’re learning moments. When people feel safe to report a misstep, incidents are caught early.

• They ritualise vigilance. Simple, consistent habits – like hovering before clicking or double-checking sender details – become second nature.

• They reinforce shared responsibility. Security isn’t IT’s problem; it’s everyone’s discipline. Each person becomes part of the defence.

When this happens, cybersecurity stops being a policy and starts becoming a pattern of behaviour. People speak up faster. Colleagues look out for one another. Leaders model calm accountability

instead of blame.

The result is a culture of vigilance – the real defence against even

the most determined threat.

Keshni Naidoo is an Executive Consultant with extensive expertise in culture and change, helping organisations shape the behaviours that drive performance.