As I continue learning about GRC, one thing is becoming very clear to me: Being warned does not mean being prepared. At first, I thought warnings were enough. If a system alerts you, if a message pops up, if someone tells you “this is risky,” then surely that should protect you right? But real life doesn’t work that way. Warnings Don’t Change Behaviour We see warnings everywhere: Most of the time, we click past them. Not because we don’t understand them but because we are most times distracted, hopeful, tired, or in a hurry. Sometimes we think, “This can’t happen to me.” A warning only informs you.It doesn’t prepare you. Preparation Is Mental, Not Just Technical Preparation means: In GRC, this is important. A warning might say, “This action is risky.”Preparation asks, “What happens if I continue, and am I ready for the consequences?” Why GRC Focuses on Readiness GRC exists because organisations know that: So instead of relying on warnings alone, GRC encourages: This turns information into action. Life Teaches This Lesson To Life itself is full of warnings. We are warned that things can go wrong; health, finances, relationships, careers. But preparation is what helps us cope when they do. Preparation doesn’t remove risk.It helps us handle it better. That is the same mindset GRC brings into cybersecurity. I am beginning to understand that security is not about avoiding mistakes completely. It is about: Warnings are helpful.Preparation is powerful. A warning tells you something could go wrong.Preparation helps you survive when it does. That is why in GRC, awareness alone is not enough.Readiness is what truly reduces risk. And this is a lesson I am still learning one step at a time.
Risk Management Starts With People, Not Systems
When people talk about risk in cybersecurity, the focus is often on systems servers, networks, software, and tools. But as I continue to learn about GRC, one truth keeps standing out to me: Risk management doesn’t start with systems.It starts with people. Before a system fails, a human decision is usually involved. When Risk Warnings Are Ignored When my Facebook page was taken over, I was warned. The platform showed me a message explaining the risk if I accepted access. I saw it. I read it. But in that moment, I was blinded by opportunity and trust, and I went ahead anyway. I learned the hard way. The system did its job; it warned me.The risk wasn’t hidden.The decision was human. People Create Risk Without Meaning To Most risks don’t come from bad intentions. They come from normal human behaviour: Systems don’t ignore warnings.People do. That’s why risk management focuses on people first. Life Itself Is Risk Risk is not limited to cybersecurity. When I was going to give birth, there were risks involved. That’s part of life. But the presence of risk didn’t stop the process; it required preparation. Doctors explained the risks.Plans were made.My mind was prepared to handle whatever came. That is what risk management looks like in real life. How This Connects to GRC GRC works the same way. It doesn’t pretend risk doesn’t exist.It acknowledges it and asks: GRC is about mental readiness as much as technical controls. Why Systems Fail After People Do Firewalls don’t panic.Software doesn’t feel rushed.Servers don’t trust strangers. People do. That’s why systems fail after people do. What I am Learning as a Beginner As someone still learning GRC, this is what I understand so far: Risk management is not about fear.It’s about awareness and preparation. We can’t remove risk from life.But we can prepare our minds to handle it. On A Final Note…. Cybersecurity tools matter.Systems matter.Technology matters. But risk management starts with people their decisions, their emotions, and their readiness. GRC simply helps us prepare for reality. And the more I learn, the more this human-first approach makes sense.
Trust Is Not a Security Control
Trust is human.Security is intentional. In everyday life, trust helps relationships work. We trust colleagues, friends, family, service providers, and systems to do the right thing. Without trust, society would struggle. But in cybersecurity, trust alone is not enough. This is where one of the most important principles comes in: Never trust. Always verify. This doesn’t mean people are bad. It means systems must be designed to remain secure even when trust fails. Why Trust Fails in Security Security planning starts with one simple truth:humans make mistakes. People forget.People get tired.People feel pressure.People respond to urgency. Trust does not protect systems in these moments. A trusted employee can click a phishing link.A trusted vendor can be compromised.A trusted account can be misused. None of this happens because people are careless it happens because people are human. What “Never Trust, Always Verify” Really Mean “Never trust, always verify” is not about suspicion.It is about designing systems that do not rely on assumptions. Verification means: Verification protects both the user and the system. Security Controls Exist for a Reason Security controls reduce risk where trust alone cannot. Examples include: These controls do not replace trust they support it by creating accountability and resilience. Attackers Exploit Trust Social engineering works because attackers understand one thing:trust bypasses verification. They pose as: Once trust replaces verification, controls are quietly ignored and that is where breaches happen. Why This Matters in GRC In governance, risk, and compliance, trust is never the answer to “what went wrong.” The real question is:“What controls failed or were missing?” GRC is built on evidence, accountability, and repeatability.Verification makes that possible. Final Thought Trust makes things move faster.Verification makes things safer. Good security does not assume bad people it assumes imperfect moments. That is why the rule remains simple and powerful: Never trust. Always verify. Want more like this?I share practical, human-centred cybersecurity lessons and career insights by email.
Why Convenience Is The Enemy Of Security
In the beginning, convenience felt harmless. When I first started using social media, I didn’t think much about passwords. I wasn’t careless I was being practical. Using the same password for all my accounts made life easier. One password to remember. No stress. No confusion. It felt efficient. And honestly, I thought, “At least I won’t forget it.” What I didn’t understand then was that convenience quietly trades comfort for risk. When Convenience Feels Smart….Until It Isn’t Using one password everywhere worked… until it didn’t. When my Google account was taken over, the process of getting it back was long and exhausting. Emails. Verifications. Waiting. Proving ownership again and again. It took time, patience, and persistence before I finally recovered it. That experience alone was sobering. But when my Facebook page was taken over, I made a different decision. I didn’t fight for it the same way. I simply started again and built a new one from scratch. Not because it didn’t matter but because the cost of recovery felt heavier than starting over. Both experiences taught me something I had ignored before. Convenience Creates Single Points of Failure The problem with convenience is not that it is wrong it is that it concentrates risk. One password across multiple platforms means one mistake opens many doors. Once that password is exposed, everything connected to it becomes vulnerable. I didn’t fully understand this until I lived through the recovery process. It was during that time resetting access, securing accounts, rebuilding that the importance of passwords finally became clear to me. Security Is Designed to Be Inconvenient for a Reason Security slows you down on purpose. Multiple passwords.Verification steps.Authentication codes. All of these things feel inconvenient because they interrupt ease. But that interruption is intentional. It exists to protect you during moments when convenience would otherwise cost you everything. Attackers depend on ease.Security depends on friction. And most people are not patient, we are always in a hurry. What Changed for Me After those experiences, I stopped prioritising convenience over protection. I began to see passwords not as obstacles, but as boundaries. I understood that the slight discomfort of managing them properly was nothing compared to the stress of losing access and control over my digital life. Convenience had taught me comfort.Security taught me responsibility. Final Thought Convenience feels good in the moment.Security protects you in the long run. Most security failures don’t happen because people are reckless they happen because people choose what feels easiest. And sometimes, the easiest choice is the most expensive one. Want more like this?I write about human-centred cybersecurity, risk, and career transitions.
Why Attackers Don’t Hack Systems,They Hack People Instead.
Before attackers go after systems, networks, or software, they go after something far more powerful: the human mind. That’s where the real game is played. As human beings, we are wired in very specific ways. We trust. We help. We respond quickly to urgency. We don’t want to miss opportunities. We don’t want to get into trouble. These traits help society functionbut they also make us vulnerable. Attackers understand this better than most people realize. They don’t need to break technology if they can influence behaviour.And influencing behaviour starts in the mind. The Mind Is the First Attack Surface Cyberattacks don’t begin with code.They begin with emotions. Fear.Pressure.Excitement.Authority.Opportunity. Once an attacker triggers any of these, critical thinking often slows down. Logic steps aside, and reaction takes over. At that point, the hardest part of the attack is already done. Systems Are Built to Resist ,Humans Are Built to Trust Modern systems are designed with layers of protection: passwords, firewalls, encryption, and access controls. Breaking through them directly takes time, skill, and effort. Humans, on the other hand, are not built to resist they are built to connect. We assume good intent.We respond when something sounds important.We act quickly when consequences are mentioned. Attackers exploit this difference. So instead of fighting the system, they go around it by targeting the person using it. People Are the Easiest Entry Point An attacker doesn’t need advanced tools if they can simply: Once a human opens the door, the system behaves exactly as designed. No hacking required. Just manipulation. Social Engineering Is About Psychology, Not Technology Social engineering works because it speaks to emotions, not logic. Messages are crafted to sound: When emotions rise, verification drops. This is why so many successful attacks involve phishing emails, fake support calls, job offers, or warnings about account problems. The technology isn’t failing it is the human moment that is being exploited. Why Awareness Is the Real Defense Security tools matter, but they can’t replace awareness. Cybersecurity depends on people knowing when to pause, when to question urgency, and when to verify through another channel. This is why cybersecurity is not just a technical field.It’s a human one. Final Thought If attackers can control your emotions,they can control your actions. And once they control your actions,they don’t need to hack any system at all. The strongest defense isn’t fear it’s awareness, patience, and understanding how the mind is used in attacks. Remember to ‘Never Trust, Always Verify’
Why Slowing Down Is A Security Skill
In cybersecurity, speed is often praised. Fast detection. Fast response. Fast recovery. But there’s a quieter skill that prevents more incidents than most tools ever will: Slowing down. Many security incidents don’t happen because systems fail. They happen because humans move too fast. A rushed click. A hurried response. An emotional reaction to pressure. Attackers understand this deeply and they exploit it. They don’t need you to think.They need you to react. Urgency Is Designed to Create Fear Urgency is not accidental. It is deliberate. When urgency enters a message, it creates fear. And once fear takes over, rational thinking steps aside. At that point, the attacker doesn’t need access to your system they already have access to your mind. This is how control is gained. Reflect for a moment on situations in your life where it felt like if you didn’t act immediately, something terrible would happen. A missed opportunity. A lost account. A looming consequence. Now ask yourself:How many times did you fail to meet that urgency… and heaven did not fall? That realisation alone is powerful. Social Engineering Is a Mind Game Social engineering does not rely on technology. It relies on psychology. It plays on: Once emotion takes the lead, logic struggles to catch up. That’s why slowing down matters. Slowing Down Restores Control Slowing down breaks the spell. It gives you space to ask: Most malicious requests collapse under simple scrutiny. From a security perspective, slowing down reduces risk. It increases verification, limits impulsive decisions, and prevents attackers from steering your actions. Patience Is a Security Virtue In cybersecurity, patience is not weakness it is strength. Mature security systems are designed to slow people down on purpose: confirmation steps, approvals, reviews, and delays. These controls exist because humans are emotional, and emotions can be exploited. Slowing down protects not just systems, but people. Final Thought Social engineering is a mind game.Security is knowing when not to play. Slow down.Question urgency.Trust verification over fear. And sometimes you need toslow down and smell the cookie. Because control begins the moment you pause. Want more like this?I write about human-centred cybersecurity, risk, and career transitions.
Personal Digital Hygiene Tips for the Holiday Season
The holiday season is a time for joy, travel, reconnection, and celebration. It’s also a season when many of let our guard down online and offline. Unfortunately, attackers know this too. When we are distracted, excited, or eager to share good moments, our digital hygiene often slips. That is why being intentional during this season matters more than ever. Think of digital hygiene the same way you think of personal hygiene:small, consistent habits that quietly protect you. 1. Be Mindful of What You Share Especially During Travel To my fellow African brothers and sisters travelling home to celebrate:resist the urge to show off. The “I have arrived” mentality of posting locations, arrivals, gifts, or lifestyle updates in real time can expose you and your loved ones to unnecessary risk. Protect yourself and your family by: Privacy is protection. Not everything needs an audience. 2. Keep Certain Things Private for Your Own Safety Not everyone watching your posts has good intentions.Some people are observing quietly, connecting dots, and gathering context. What feels like harmless celebration can become useful information to someone with the wrong motives. Digital hygiene means knowing that: 3. Be Extra Careful with Holiday Messages and “Opportunities” During the festive season, messages increase giveaways, offers, collaborations, job promises, and quick favors. Slow down before responding. You don’t owe strangers access to your time or your trust. 4. Young Ladies: Be Intentional About Online Relationships This part matters. Please don’t fall for “he said he lives abroad” as proof of legitimacy.Photos can be edited. Stories can be curated. Lifestyles can be staged. It is incredibly easy to make life look a certain way online. And the truth is simple:you don’t need someone abroad to validate your worth or your future. If you’re earning a decent salary, building your life, and growing you can travel abroad by yourself. You don’t need illusions sold through messages and filtered photos. Digital hygiene also means emotional hygiene. 5. Use Strong Passwords and Enable 2FA Avoid passwords linked to anything visible on your social media names, dates, locations, hobbies. Make sure Two-Factor Authentication (2FA) is turned on for: That extra step protects you when emotions or distractions creep in. 6. Be Careful with Direct Messages Scammers love the holidays because people are more open and less guarded. If a message feels: Pause and Verify. 7. Awareness Is the Real Gift Digital hygiene is not about fear.It is about intentional living online and offline. Understanding that: …is one of the strongest forms of protection you can give yourself and your family. Final Thought Enjoy the holidays.Celebrate fully.Reconnect with loved ones. Just remember:what you keep private today can protect you tomorrow. Security starts with awareness and awareness is always in season. Merry Christmas!
Why Awareness Is The Strongest Cybersecurity Control
Once I became aware of how attackers gather information and exploit behaviour, something shifted for me not dramatically, not overnight, but intentionally. I started paying closer attention to what I shared, especially on social media.What used to feel harmless suddenly felt… loud. And slowly, things changed. I stopped receiving strange phone calls.The persistent ones? I blocked them without hesitation.Not because I was afraid but because I understood what was happening. Awareness gave me boundaries. Awareness Changes Behaviour Before It Changes Technology I am not claiming perfection. I am still learning.But even the little awareness I have gained has helped me protect my digital footprint in ways I didn’t know were possible before. I hardly respond to direct messages on social media now.Not because every message is dangerous but because access matters. I verify links before clicking.I pause instead of reacting.I question instead of assuming. That pause alone has probably saved me more times than I realise. Technology Helps But Awareness Leads Firewalls, passwords, and 2FA are powerful.But they don’t replace awareness they depend on it. Most attacks succeed because someone was rushed, distracted, curious, or trusting in the moment. Awareness doesn’t eliminate those emotions, but it helps you recognize when they’re being used against you. And that recognition is powerful. Understanding Criminal Minds Changes Everything One of the biggest lessons this journey has taught me is this:some people genuinely think differently. Not everyone online has good intentions.Some people study behaviour the same way cybersecurity professionals study systems except they do it to exploit, not protect. Once I accepted that reality, I stopped taking things personally and started taking them seriously. This Is Why Awareness Is Control From a security perspective, awareness is not just a mindset it is control. It reduces exposure.It limits access.It interrupts manipulation.It lowers risk. Just like in aviation, where safety depends on awareness at every level, cybersecurity relies on humans being aware of their digital footprints. I Am Not There Yet and That’s Okay I amstill learning.Still refining.Still becoming more intentional. But awareness has already given me something invaluable:control over my digital presence. Cybersecurity does not start with tools.It starts with understanding. And sometimes, that understanding is enough to stop an attack before it ever begins.
What Attackers Learn About You Before They Attack
Most cyberattacks don’t start with hacking tools or technical exploits.They start quietly, patiently, invisibly. Long before an attacker reaches out, clicks a link, or sends a message, they are already watching, learning and piecing things together. And most times, they don’t need to break into anything. We hand them the information. Attacks Begin With Observation Attackers don’t wake up and randomly choose a target. They observe first. They look for: To them, every detail is a puzzle piece.And when enough pieces come together, a profile forms. When Familiarity Feels Uncomfortable There was a time I used to receive phone calls from men I didn’t know. They would say my name confidently. Mention where I worked. Speak as if we had crossed paths before. Something about it always felt off. However, I have always been cold toward people I don’t know who claim to know me, so I never engaged. But I couldn’t stop wondering:How did they get my number?How do they know where I work? At the time, I didn’t have answers, just the questions. The Moment It Clicked One day, out of curiosity, I went into my Facebook settings. And there it was. My workplace.My details.Information I had forgotten I ever shared publicly. No hacking required.No breach.No technical skill. Just access to information I had made public without thinking twice. That moment stayed with me. Why This Matters in Cybersecurity Attackers don’t need everything about you.They just need enough. Enough to sound believable.Enough to earn trust.Enough to lower your guard. This is how social engineering works.This is how phishing becomes personal.This is how a stranger turns into “someone who sounds legit.” By the time the attack happens, the groundwork has already been laid. Information Is Context and Context Is Power When someone knows: they don’t approach you as a stranger.They approach you with context. And humans are wired to trust context. What Changed for Me Ever since stepping into cybersecurity, I have become very intentional about what I share and where I share it. Not paranoid.Not fearful.Just aware. I understand now that: Attackers don’t always “find” information.Often, they simply collect it. The Quiet Truth About Attacks Most attacks are already halfway successful before contact is made. Because when someone reaches out and already knows enough about you to sound familiar, the hardest part of the attack is already done. That is why cybersecurity isn’t just technical.It is behavioural.It is awareness.It is learning to see your digital footprint the way an attacker would. And once you see it that way, you never look at your online presence the same again. Want more like this?I write about human-centred cybersecurity, risk, and career transitions.
Social Engineering: When Trust Becomes the Attack Vector
When people hear “cyberattack,” they imagine code being cracked, systems breached, firewalls broken. What they rarely imagine is a conversation. A phone call. A message. A friendly voice that sounds like help. That’s the danger of social engineering. Social engineering doesn’t attack systems first.It attacks people. I learned this the hard way. How Social Engineering Really Works Social engineering is the art of manipulation. It’s when attackers use psychology, familiarity, and trust to persuade someone into giving up access often without realizing they aredoing anything wrong. What makes it so effective is that it doesn’t feel like an attack.It feels like opportunity.Or assistance.Or validation. That’s exactly how my own account was taken over. When Familiarity Felt Like Proof The person who contacted me knew things about me. Not deeply personal things but enough. Where I had posted an advert. What I was offering. How to frame the conversation in a way that caught my attention. And because they knew those details, I assumed they were legitimate. That’s the trap. Attackers don’t guess.They research. This process is called reconnaissance gathering information about a target before making a move. Social media, online ads, public profiles, casual posts… they all become puzzle pieces. At the time, I didn’t see it as reconnaissance.I saw it as credibility. I thought, “If they know this much about me, they must be genuine.” That assumption cost me access. Why Social Engineering Works So Well Social engineering succeeds because it leans into very human traits: It doesn’t force entry it is invited in. And once that invitation is extended, technology does exactly what it’s told to do. What Changed After That Experience I won’t pretend I wasn’t naive then because I was.But I also won’t pretend that naivety makes someone foolish. It makes them human. Since stepping into cybersecurity, my relationship with information has completely changed. I am far more intentional about what I share online. I think twice before posting details that could be stitched together into a profile of me. Because attackers don’t need everything.They just need enough. What I am Intentional About Now Today, I treat my digital presence the same way aviation treats safety assume risk, reduce exposure. I am careful about: And especially passwords. Passwords should never be tied to anything visible on your social media names, dates, interests, milestones. If it can be learned about you, it shouldn’t protect you. The Real Lesson Social Engineering Taught Me Social engineering isn’t about intelligence levels.It’s about context. Attackers don’t show up waving red flags.They show up sounding reasonable. That’s why awareness matters more than fear. Cybersecurity didn’t teach me to stop trusting people.It taught me to slow down, verify, and separate familiarity from legitimacy. And that lesson painful as it was became one of the most valuable foundations in my cybersecurity journey. Because once you understand social engineering, you stop asking,“How did they hack the system?” And you start asking the better question:“How did they convince the human?”