The Great Cybersecurity Deception

For decades, organisations have been fed the same cybersecurity doctrine:

• Install antivirus software
• Patch your systems
• Deploy a SIEM for visibility
• Security awareness training
• Phishing training

This checklist-driven approach has become the gold standard. But if these measures truly worked, why are breaches still skyrocketing?

The problem isn’t just technical — it’s cognitive. Companies don’t fail at cybersecurity because they lack tools; they fail because they don’t take security seriously thinking the tools they have been solved are a magic bullet along with the suave talk from the sales person.

The illusion that buying security solutions equals being secure has led to widespread complacency, and real-world incidents prove that a lack of security mindset, not technology, is the biggest risk.

The FIIG Securities Breach: A Case Study in Security Neglect

A perfect example of this cognitive failure is FIIG Securities, an Australian financial services firm now facing legal action from ASIC for systemic and prolonged cybersecurity failures.

The Hard Facts:

📌 Breach Duration: March 2019 — June 2023
📌 Data Stolen: 385GB of confidential information
📌 Number of Clients Affected: 18,000
📌 Critical Lapses Identified:

• No properly configured or monitored firewalls
• No cybersecurity awareness training for staff
• No proactive security monitoring
• Poor incident response time (a hacker was inside for weeks before detection)

The concerning part about this list, is, an organisation like FIIG to be exposed that long, nearly 5 years and have these absolutely basic items either not in place or configured in appropriately. Just to add to the scenario, the average price for 1 breached record on the Internet and Dark Web can be up to $200 USD. Having 18,000 clients affected and each one containing multiple records, you do the math. A very costly exercise. The threat actors see the value of this information very different from the organisation.

The Cognitive Failure

FIIG’s failure wasn’t due to a lack of available security solutions.

• Firewalls exist.
• Patching processes exist.
• Security awareness training exists.

Yet, they ignored all of these or these things were overlooked. But by who?

This raises a critical question: If security solutions are widely available, why do companies still fail at security?

The answer lies in human behaviour and psychology, not technology. There have been some alarming statistics that say that humans are about 85% of the problem. This is very incorrect. They are 100% of the problem. Humans design bad process, and it translates to weak technology. Not the other way around.

The Real Cybersecurity Problem: Human Bias and Behavioural Failure

Security isn’t about having tools — it’s about using them effectively. But cognitive biases and behavioural resistance prevent organisations from doing so.

Cognitive Biases at Play:

• Optimism Bias: “A breach won’t happen to us.” Many executives underestimate their risk until it’s too late.
• Normalcy Bias: “We’ve always done things this way.” Security measures remain outdated because change is seen as unnecessary.
• Decision Fatigue: Security is often complex, so decision-makers delay investments, creating risk.
• Compliance Fallacy: Many organisations implement security measures just to pass audits — not to improve real security.
• IT Bias: Our IT company is great and they told us this was best? A company as complex as FIIG, surely you are not letting anyone check their own homework.

Real-World Examples of Security Neglect

These biases have led to some of the biggest security failures:

📌 Uber (2022) — MFA Fatigue Attack

• What happened? An attacker spammed an employee with Multi-Factor Authentication (MFA) requests until they gave up and approved one.
• Why? Uber had security measures in place, but the employee wasn’t trained to resist psychological manipulation.

📌 Twitter (2020) — Social Engineering Takeover

• What happened? Attackers tricked Twitter employees into handing over access.
• Why? They didn’t hack Twitter’s systems — they hacked human trust.

📌 Deepfake CEO Fraud (2021)

• What happened? AI-generated deepfake audio convinced an executive to transfer $250,000.
• Why? Because humans trust what they see and hear, even when it’s manipulated.

The Over-Reliance on Tools: Why Antivirus, Patching, and SIEM Won’t Save You

Companies are obsessed with tools because they provide an illusion of safety. But tools don’t solve the underlying problem — security culture and behaviour. An this is not just solved with the current cliche of security awareness training and phishing testing. There is a wider issue.

The Checklist Mentality vs. Reality

Many organisations still rely on outdated security advice, believing that having antivirus, patching systems, and deploying a SIEM will keep them safe. However, antivirus solutions are largely ineffective against modern threats like zero-day exploits and social engineering attacks, which bypass traditional detection methods. Patching systems, while essential, is only effective if done correctly and in a timely manner — yet many companies either delay updates or fail to test them properly, leaving vulnerabilities open for exploitation. SIEMs, often seen as a silver bullet, generate an overwhelming number of alerts, but without the right expertise to interpret and respond to them, they become little more than expensive noise. Security isn’t about simply having these tools — it’s about understanding how to use them effectively and integrating them into a proactive security strategy. And a large number of IT service providers we speak with, do say they are over worked and without bandwidth.

None of these will protect an organisation if the people behind them are disengaged and/or overworked without the bandwidth to adequately manage these tools.

What Actually Works: Shifting to a Security-First Mindset

Organisations that truly secure themselves don’t just buy tools — they think differently about security.

1. Psychological Resilience Over Technical Controls

• Train staff to recognise deception tactics (not just avoid bad links).
• Implement live social engineering attack simulations.
• Reward employees for reporting suspicious activity.

2. Assume Your Employees Will Fail (And Build for That)

• Instead of hoping employees won’t click on phishing links, implement damage limitation strategies.
• Assume every credential will eventually be stolen and build defensive layers around that assumption.

3. Treat Security as a Business Survival Issue

• Executives must own security, not just delegate it to IT. Executives and business owners are the information and risk owners.
• Security should be measured by resilience, not compliance checklists.
• Invest in cyber crisis simulations to prepare for real-world attacks.

Final Thought: The Future of Cybersecurity is Human, Not Just Technical

Organisations don’t fail because they lack antivirus, patching, or SIEMs. They fail because:

❌ They overestimate their security posture.

❌ They don’t take cybersecurity seriously until an incident happens.

❌ They fail to prioritise security culture over security products.

The Call to Action: Are You Buying Security or Building It?

Ask yourself:

✅ Are my employees trained to recognise deception?
✅ Do my executives prioritise security as a business issue?
✅ Would my organisation respond effectively to a breach tomorrow?

If the answer is no to any of these, then no amount of security tools will save you.

How Shimazaki Sentinel Can Help

At Shimazaki Sentinel, we don’t sell the illusion of security — we build real resilience.

• Real Threat & Risk Assessments— Emulation of the real adversaries or threat actors against your governance, personnel, physical security and technology in the organisation.
• Cognitive Threat Intelligence training — Learn how attackers manipulate perception and behaviour.
• Security leadership coaching — Because security starts at the top. You don’t need to attend a 2 day workshop and become a security expert. You need to be an expert in protecting your organisation.
• Practical, real-world security strategies — No fluff, no vendor lock-in, just smart security thinking.

Let’s move beyond security theatre and start securing your business for real.

References

Australian Securities and Investments Commission (ASIC), 2025. ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures. [online] Available at: https://asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-035mr-asic-sues-fiig-securities-for-systemic-and-prolonged-cybersecurity-failures/ [Accessed 13 March 2025].