contact

When Firewalls Fail — The Human Side of Cyber Risk

The Wake-Up Call That Came at 3:12 AM

A few years ago, I received a call no operations executive ever wants to get.
“Laksh, we’ve had a breach.”
That was it. Six words. But behind them were two thousand frozen screens, a ransomware note, and one innocent click from a colleague trying to download a “secure attachment” from what appeared to be a trusted vendor.

As much as we had trained staff and layered our tech stack with the latest SIEM tools and threat detection software, the reality hit hard: Cyber risk is not just an IT problem—it’s a business resilience problem.

Lesson 1: People Are the First—and Weakest—Firewall

We had invested millions in cybersecurity. And yet, our breach came not from some sophisticated zero-day exploit, but from someone clicking a phishing link sent during peak business hours.

It reminded me of the famous quote by Bruce Schneier:

“Amateurs hack systems, professionals hack people.”

We had overlooked something simple—our people were overwhelmed with alerts and compliance training fatigue. We needed engagement, not just education. So, we rolled out gamified phishing simulations, lunch-and-learns with real cyber stories, and even made password reset day a mini-office event.

Outcome? Click rates dropped. Awareness rose. People were no longer passive gatekeepers—they became active defenders.

Lesson 2: Not All Data Is Created Equal

Post-breach, we conducted a data prioritization audit. Turns out, we were “protecting” some files like nuclear codes… and leaving truly sensitive ones less guarded.

Here’s the thing about data: volume ≠ value.

So, we redesigned our controls using data classification frameworks like those recommended by NIST and ISO/IEC 27001. Critical data was encrypted, monitored, and access-controlled. Non-sensitive material was moved to less critical environments—less complexity, less exposure.

Lesson 3: You Can’t Outsource Accountability

Many of us trust our vendors with our most sensitive data—from payroll processors to cloud providers. But cyber risk doesn’t vanish when you outsource it.

In fact, third-party vendors account for over 60% of data breaches, according to a Ponemon Institute study.

We learned this firsthand when one of our cloud vendors suffered a breach. They were compliant—but their subcontractor wasn’t.
We had to answer for it.

So, we built a Third-Party Cyber Risk Framework that went beyond just reviewing SOC reports. We conducted due diligence, required evidence of multi-factor authentication (MFA), and introduced breach notification SLAs.

Trust, but verify. Then verify again.

Lesson 4: Don’t Just React—Rehearse

Back to that 3:12 AM call.

One silver lining? We had rehearsed this exact scenario during our Business Continuity & Incident Response tabletop exercises.
Because of that, teams knew their roles. Legal drafted statements, PR was briefed, IT isolated servers, and clients were proactively informed before the headlines hit.

We discovered that what mattered most was not just how we recovered, but how transparently and swiftly we communicated.

Looking Ahead: Cyber Risk Is a Moving Target

The cyber threat landscape is evolving—AI-powered attacks, deepfakes, nation-state hackers. You can’t eliminate cyber risk, but you can build cyber resilience.

Resilience isn’t about having the best tech. It’s about:

  • Creating a culture of awareness
  • Investing in real-time detection and response
  • Practicing recovery before you need it
  • Embedding cyber strategy into boardroom conversations, not just IT updates

As regulators like NYDFSOCC, and SEC tighten cybersecurity standards, leaders must rise beyond compliance checklists and build organizations that are agile, secure, and responsive.

About the Author

Laksh Vaswani is a global financial services executive, best-selling author, and recipient of the International Achievers Award. With over two decades of experience in regulatory transformation, risk governance, and operational resilience, he has helped institutions navigate complex cyber threats and regulatory expectations across North America, EMEA, and Asia. Laksh is a passionate mentor, speaker, and thought leader in financial innovation and risk management.

Share this article :