Beatrice didn’t even pause. The pop-up appeared at the bottom of the screen: “We use cookies to improve your experience.” Two options. Accept AllManage Preferences She clicked Accept All without thinking and continued scrolling. It was quick. Easy. Harmless… or so it seemed. A few days later, something felt different. The ads she saw were unusually specific.The content recommendations felt almost too accurate.Even the products suggested matched things she had only thought about briefly. It was as if the internet was watching her. In a way, it was. The Click That Feels Too Small to Matter Most people think cybersecurity risks come from big actions: But sometimes, the risk begins with something much smaller. Something we barely notice. Like clicking “Accept All Cookies.” What Cookies Actually Do (Simple Explanation) Cookies are small pieces of data stored on your device when you visit a website. They help websites remember things like: On their own, cookies are not always harmful. But when combined and shared across platforms, they begin to tell a story. Your story. What “Accept All” Really Means When Beatrice clicked “Accept All,” she didn’t just accept one thing. She gave permission for: And most importantly… She allowed this data to be used in ways she didn’t fully understand. Where AI Comes In This is where things become more complex. Cookies don’t just store data. They feed AI systems. AI uses this data to: Over time, these systems begin to understand patterns: And slowly, a digital version of you is created. Not who you are. But who the system thinks you are. The Hidden Risk Beatrice never saw this happening. There was no alert. No warning. Just a better “user experience.” But behind the scenes: The risk isn’t just that data is collected. It is that control is quietly given away. What Most People Don’t Realise When people click “Accept All,” they assume: It is just for this website. But in reality, the data can travel. It can be: This creates a much bigger picture than most people expect. Where Data Privacy Comes In This is why data protection laws like the General Data Protection Regulation (GDPR) exist. They are designed to ensure that: In theory, Beatrice had a choice. She could have: But like many people, she chose convenience. A Familiar Pattern Beatrice’s story is not unusual. It happens every day. A small decision.A quick click.A moment of convenience. And over time, those small actions build something much bigger. On A Final Note…. Clicking “Accept All Cookies” doesn’t feel like a cybersecurity decision. But in today’s world, it is. Because data is no longer just information. It’s influence.It’s prediction.It’s power. And understanding how it’s used is one of the most important steps in protecting yourself. If you’re starting your journey in cybersecurity, remember this: Not all risks look dangerousSome look like convenience
What Happens to Your Data When AI Uses It? (GDPR Explained for Beginners)
Beatrice didn’t think much about it at first. She signed up for a new app. It promised convenience. Personalised recommendations. Smarter features powered by AI. She clicked “Accept All Cookies” and moved on. A few days later, something felt… strange. The app seemed to know too much. It suggested things she had only searched once.It recommended content that felt unusually personal. And then it hit her. How much of her data was this system actually using? The Invisible Exchange Most digital services today run on data. When you: You are often sharing personal information. This may include: AI systems use this data to: But here’s the important question: Do you really know how your data is being used? This Is Where GDPR Comes In The General Data Protection Regulation (GDPR) was created to protect people like Beatrice. It gives individuals more control over their personal data. In simple terms, GDPR says: Your Rights (Explained Simply) Under GDPR, Beatrice has rights even if she does not always realise it. She has the right to: These rights are especially important in the age of AI. The AI Problem: It is Not Always Transparent AI systems don’t just store data. They learn from it. They analyse patterns. Predict behaviour. Make decisions. But here’s the challenge: So even if Beatrice agreed to share her data… She may not fully understand what happens next. When Privacy Meets Automation Imagine this: An AI system uses Beatrice’s data to: But she doesn’t know: This creates a gap between: what users expectand what actually happens Why This Matters for Cybersecurity and GRC Data privacy is not just about protecting information. It’s about: In cybersecurity and GRC, this means: Because when data is misused… the impact is not just technical it is personal The Real Lesson Beatrice didn’t realise she had a choice. She clicked “accept” and moved on. But in today’s world, data is one of the most valuable things we have. And understanding how it is used is no longer optional. On a Final note… AI is powerful because of data. But with that power comes responsibility. That is why GDPR exists. Not to stop innovation… But to make sure that as technology evolves, people don’t lose control of their own information. If you’re starting your journey in cybersecurity, this is something worth remembering: It is not just about securing systemsIt is about protecting people
How I Built a Policy Compliance Framework for an Aviation Company (Step-by-Step)
Most organizations have policies. Very few actually enforce them. That gap between writing policies and actually making sure they are followed is where risk lives. And that’s exactly the problem I set out to solve by building a Policy Compliance Framework for Gobuy Aviation. This wasn’t just an academic exercise. I approached it like a real-world GRC project, focusing on structure, accountability, and continuous monitoring. Let me walk you through how I built it. The Problem: Policies Without Enforcement Gobuy Aviation, like many organizations, lacked a structured and enforceable compliance framework. That means: So the goal was simple: Build a framework that ensures policies are not just written, but actively enforced The Objective The framework was designed to: Step 1: Define the Scope Before building anything, I clearly defined what the framework would cover. It applies to: This ensures the framework is not limited to IT alone, but covers the entire organization. Step 2: Develop Core Policies A total of 10 policies were developed to support the framework: These policies form the foundation of the compliance structure. Step 3: Align Policies with ISO 27002 To ensure the framework follows global best practices, each policy was mapped to ISO 27002 control themes: This alignment ensures the framework is structured, standardized, and audit-ready. Step 4: Build the Compliance Framework (The Core) This is where the real work happens. Each policy is tied to: Here is a simplified example: Policy Activity Owner Frequency Evidence IAM Policy User access review IAM Specialist Monthly Access reports Incident Management Incident monitoring Security Team Daily Incident logs Data Protection Data compliance review Compliance Officer Quarterly Audit records This structure ensures: Step 5: Introduce AI Governance (A Key Differentiator) One of the most important additions was the Artificial Intelligence Policy. AI introduces new risks: Instead of treating AI like a normal policy, I built a dedicated compliance framework for it, including: This aligns with emerging AI governance practices and positions the framework for future risks. Step 6: Establish Policy Governance Each policy includes a document control structure, defining: This ensures: Without this, policies quickly become outdated and ineffective. Step 7: Define Monitoring vs Review One critical distinction in the framework is: This ensures policies stay relevant while compliance is continuously tracked. Step 8: Provide Implementation Recommendations To make the framework practical, I included key recommendations: What Makes This Framework Effective This framework works because it: On A Final Note Building a Policy Compliance Framework is not about writing documents. It’s about creating a system where: If organizations get this right, they don’t just improve compliance. They build resilience. If you are getting into GRC, this is the mindset you need: Don’t just ask, Do we have policies? Ask, Are we actually following them? That is where the real work begins. Here is the link to my Policy Compliance framework https://drive.google.com/file/d/15t66ot2sdqyk60lsPSY221y14L6JgnX5/view?usp=sharing
Why AI Decisions Are Hard to Challenge (And Why It is a Risk)
Beatrice did not give up immediately. After her loan application was rejected, she decided to challenge the decision. There had to be a mistake. She had a stable income. No debt issues. Nothing that should raise concern. So she reached out. The response came quickly. “Your application was assessed using our automated decision system. Unfortunately, we are unable to provide further details.” Beatrice read the message again. No explanation.No breakdown.No human review. Just a decision… with no clear reason behind it. When There Is No One to Question In the past, decisions like this involved people. You could ask: There was always someone accountable. But with AI systems, things are different. The decision is made instantly.The process is hidden.And often, there is no clear path to challenge it. The Problem With “Black Box” Decisions Many AI systems operate in what experts call a black box. That doesn’t mean they are broken. It means: The system produces an outcome, but the reasoning behind it isn’t easily understood Even the organisations using these systems may not fully understand: So when someone like Beatrice asks for answers… There may not be a clear one to give. Why This Becomes a Risk At first, this might not seem like a cybersecurity issue. But it is a governance and risk problem. Because when decisions cannot be explained: In Beatrice’s case, the risk wasn’t just the rejection. It was the lack of transparency behind it. When AI Gets It Wrong AI systems are trained on data. And that data may contain: This means AI can make decisions that are: And without the ability to challenge those decisions, the impact becomes even more serious. The Governance Gap This is where governance becomes critical. Organisations cannot rely on AI systems without oversight. They need to ensure: Because if no one can challenge a decision… Then no one is truly responsible for it. A Familiar Pattern in a New Form This problem may feel new, but the underlying issue isn’t. In many industries, systems have always failed when: AI is simply amplifying that problem. Faster decisions.Less visibility.Higher impact. The Human Side of the Problem Beatrice wasn’t trying to break a system. She was trying to understand it. She wanted clarity.A reason.A chance to respond. What she faced instead was a system that had already decided and moved on. On A Final Note AI is becoming a powerful part of how decisions are made. But power without transparency creates risk. Because when people cannot question decisions… They cannot trust them. And in cybersecurity, governance, and risk management, trust is everything. If you are beginning your journey in cybersecurity or GRC, this is something worth thinking about: It’s not just about building smarter systemsIt’s about making sure those systems can be understood, challenged, and trusted
What Happens After You Click a Phishing Link in the Age of AI
Beatrice almost ignored the email. It looked routine. “Urgent: Payroll verification required.” The message was clear, professional, and written exactly the way her company usually communicated. No spelling mistakes. No strange formatting. Even the tone felt familiar. She hesitated for a second. Then she clicked the link. Nothing unusual happened. A login page appeared. Clean. Branded. Normal. She entered her details and moved on with her day. By 11:42 AM, someone else had logged into her account. By 1:15 PM, internal emails were being accessed. By 3:30 PM, sensitive files had been downloaded. And by the end of the day, what started as a simple click had become a cybersecurity incident. But this time, something was different. This wasn’t just phishing. This was AI-assisted phishing. The Attack Didn’t Start With the Click It started much earlier. The attacker didn’t randomly send emails. Instead, they used AI tools to: The result? An email that didn’t look suspicious. It looked perfect. In the past, phishing emails were easier to spot. They contained: Now, AI has changed the game. Attackers no longer need to be skilled writers. They just need the AI right tools. Step by Step: What Actually Happened Beatrice’s click was just one moment in a chain of events. Here is how it all unfolded: 1. The Fake Page The link led to a login page designed to look identical to her company’s system. Every detail matched. Because AI can now help replicate interfaces quickly and convincingly. 2. The Credential Capture The moment she entered her login details, they were sent directly to the attacker. No alarms. No warnings. Just silent access. 3. The Silent Login Within minutes, the attacker logged into her real account. No hacking required. Just valid credentials. 4. The Expansion From there, access grew. Emails were read. Contacts were mapped. Internal systems were explored. In some cases, attackers use AI to analyse large amounts of data quickly, identifying what is valuable. 5. The Impact What began as one compromised account quickly became a wider risk: Why AI Makes This More Dangerous The goal of phishing hasn’t changed. But AI has made it: In other words: The attack is no longer obvious.The mistake is no longer easy to avoid. The Real Risk Isn’t Technology It’s easy to think this is a technology problem. But Beatrice didn’t fail because she lacked technical knowledge. She made a decision based on what she saw. And what she saw looked real. This is where cybersecurity becomes human. Because no matter how advanced systems become, people still have to: A New Reality for Beginners If you’re starting your cybersecurity journey, this is important to understand: The risks are no longer just technical. They are psychological, behavioural, and increasingly AI-driven. You’re not just learning how systems work. You’re learning how deception works at scale. On a final note…. Beatrice’s story isn’t rare. It’s becoming more common. Because in 2026, cyber attacks are no longer just about breaking systems. They are about convincing people. And AI is making that easier than ever. Because sometimes, the most dangerous part of a cyber attack…is not the code behind it. It’s how real it looks.