Cyber security mistakes
Executives are often very aware that cyber security matters, but in practice many still make recurring mistakes that significantly increase the risk of the organization.
The next AI prompt generates a breakdown of key mistakes executives tend to make. It gives the answer to why the mistakes are important and what actions can help remedy them.
Prompt
What cyber security mistakes do executives still make?
Try the prompt and see how the generated response differs. This post analyzes the october 2025 response below by comparing it to the authors real life experience.
Response
This is the index of the generated response. The details of the original response are left out.
- Treating cyber security as 'just IT' or a compliance exercise
- Under‑investing in resiliency and assuming prevention is enough
- Overlooking the human element and poor organizational culture
- Neglecting third‑party / supply chain and data visibility risks
- Failing to take accountability and failing to act promptly after an incident
- Thinking 'we’re too small / we’ll never be targeted'
– Malcolm Marshall, Global Head of Cyber Security at KPMG
"Collectively we sleepwalked into a position of vulnerability and failed to learn lessons of embedding security into products right out of the gate."
Treating cyber security as 'just IT' or a compliance exercise
In reality, this one is very true. Phrases like “it’s just data” or “it’s just
IT” are still commonly heard. Another frequent remark is “just make sure we pass
the audit”. These expressions reveal a mindset where cyber security is either
reduced to a technical concern or treated as a compliance checkbox.
As a result, the practical measures that truly reduce risk and enhance operational resilience are often underfunded. Because, after all, “it’s just data” and “it’s just IT”. Meanwhile compliancy, often focused only on passing audits, tend to receive much more attention and resources.
Under‑investing in resiliency and assuming prevention is enough
In reality, this one is also very visible. Many organizations still focus on
preventive controls like firewalls, access management and other defenses but
completely overlook resilience. Key capabilities like threat detection, incident
response and recovery planning often get very little attention.
Prevention these days is not enough anymore. Without a tested response and recovery strategy, evolving cyber threats and human error can lead to severe breach impacts.
Overlooking the human element and poor organizational culture
Reality shows that in recent years, larger organizations have shown some
improvement, but many still operate under the false belief that employees
inherently understand secure behavior or that small companies aren't targets.
This leads to outdated or minimal training.
A common approach for a single year is a mandatory slide deck with four follow up questions and two phishing simulations.
Human error remains a top cause of breaches, from clicking malicious links to badly configured systems. Without a strong security culture and continuous awareness efforts, even the best technical defenses can be easily compromised.
Neglecting third‑party / supply chain and data visibility risks
In reality, managing third-party and supply chain risks is still often
neglected. Organizations focus on securing internal systems, while external
dependencies such as vendors, external libraries and cloud services receive less
attention.
One weak link can break the chain
The aspects of supply chain data get some attention today, but this is also a major concern. There's a general lack of awareness on what data exists, where it is and who can access it.
You can’t secure what you can’t see
Failing to take accountability and failing to act promptly after an incident
In reality, these incidents are rarely visible to the public due to
confidentiality. What does become apparent however, is how the incident is
communicated. Often downplayed to avoid accountability.
Thinking - we’re too small / we’ll never be targeted
Size doesn’t equal safety.
In reality, smaller organizations are often more aware of their risks but lack
the resources to properly defend against them. Larger organizations tend to
invest more in cyber security, but this can create a false sense of security.
Cyber threats don’t discriminate by size.
Attackers often target smaller businesses because they’re seen as easier to compromise. They generally have a weaker defense but more valuable data.
Conclusion
The AI generated response highlights several major cyber security concerns that align closely with the authors real world experience.
While the original AI response captures the general issues accurately, the details provided in this post are more specific which offers a clearer picture of the current landscape.
Ironically, AI fails to mention itself as a potential risk. While AI is arguably one of the most significant cyber security threats facing organizations today.
