When people hear “cybersecurity,” their minds often jump straight to firewalls, encryption, or Hollywood-style hackers in dark hoodies. But according to Stewart, one of our our Senior Developers at HutSix, the most common vulnerability isn’t found in code or servers—it’s found in people.

This April, we’re revisiting cybersecurity with a fresh focus on the human side. We sat down with Stewart to hear his thoughts on the evolving risks we all face, the importance of culture, and how to strike that delicate balance between strong security and good user experience. His insights are equal parts practical and personal, and they’ll leave you thinking twice the next time you’re asked for your mother’s maiden name.

From your experience, what’s the most common security mistake people make—both in organisations and as individuals?

Falling for scams or targeted phishing attacks. It can be hard to break into a well configured system, but easy to manipulate a person through social engineering to give you the ‘keys to the castle.’

How do you and the team at HutSix build secure systems without sacrificing user experience?

It is a delicate balancing act between security and user experience, one where the sensitivity of stored data and client requirements come into play. If you’re working with low-literacy users, you can’t insist on ultra-secure passwords, as these people simply won’t use the system. This can be balanced by reducing what those users can access, mitigating the risk to a degree. Where possible, we implement single sign-on (SSO) - this is where you are authenticated with your company’s Microsoft or Google account, for example. In this way, the system is not managing ‘another’ password, and access for employees leaving your organisation can be managed centrally.

Can you share an example of a real-world security issue you’ve encountered in a project, and how you handled it?

Many years ago, I was asked to take over the development of a legacy (read: ‘old’) payment system. This app handled online credit card payments; however, it did so in a non-PCI-compliant manner. Seeing as I like sleeping at night, I quickly set about refactoring the system to ensure credit card data was handled correctly. This was an involved process that required coordination with other parts of the organisation and had costs involved, but was ultimately the right move.

In your view, what’s the biggest cybersecurity threat businesses face right now—and what should they be doing about it?

Your people. Are your employees trained enough to discern a phishing email? Could your staff be fooled into inadvertently handing over sensitive information over the phone? Systems can be hardened as much as possible, but it takes only one person (disgruntled or otherwise) to compromise it all. Train your staff to identify dodgy emails and send simulations regularly to test their skills.

What’s something non-technical people should know about cybersecurity that would genuinely make a difference in how they work or behave online?

Take better care when it comes to passwords - don’t reuse them and don’t write them down. Instead, use a password manager like 1Password or LastPass to generate and store strong passwords. These tools can be used on your computer or device, so you only have to remember the password for the password manager itself. They also have browser extensions that can automatically fill in passwords for you, saving time. If given the option, activate multi-factor authentication (MFA), which will use your phone as a secondary measure to verify your identity.

Are there any day-to-day habits or tools you personally use to stay secure online?

Outdated software can often have vulnerabilities, so I keep all my tech up to date with the latest updates. I use 1Password to manage logins for the various systems I look after, but I can also store all sorts of things that need to be securely stored. Lastly, I have registered my email addresses with ‘Have I Been Pwned’, a free service that notifies you when your email has been discovered in a data breach. If I get notified about a breach, I change the affected password as soon as possible.

What role does culture play in keeping an organisation secure? Is it all about the tech, or is there more to it?

Australians are known for their laid-back culture - you’ll often hear, “She’ll be right.” But when it comes to security, “Actually, she won’t be right.” We are all increasingly becoming the targets of data breaches, and with companies increasingly asking for large swathes of personal information, many are becoming victims of identity theft. Personally, I think twice before handing over my personal information. I ask myself, “Why do you need to know this?” or “What is the minimum I need to hand over?”

With AI and automation becoming more common, how is cybersecurity changing—and what should we be watching out for?

AI can be an amazing tool, but we don’t yet know the full extent of the security issues it may cause. Deepfakes, voice simulators, and photo generation are all tools that can be used to manipulate people, spread disinformation, or project a false sense of legitimacy. Tools like ChatGPT can be used to write perfect English with no spelling or grammar mistakes - normally a dead giveaway when discerning the legitimacy of an email, for example. Laws are, unfortunately, woefully inadequate, and common sense is not always common. So, until the law catches up, everyone needs to be more skeptical and question everything.

Stewart wanted to leave you with this final image—a light-hearted tribute to organisations operating with the classic mindset: “The security budget’s gone, but confidence remains high.”