Cybersecurity: are we doing our part?

IN TODAY’S hyperconnected world, cybersecurity is no longer a technical issue confined to a particular department — it is a strategic imperative that affects every individual, business, and government. The threat landscape is growing more complex by the day, with global cybercrime costs projected to reach $10.5 trillion annually by 2025 (Cybersecurity Ventures). In this context, the real question we must all ask is not whether cyberattacks will occur — but whether we are truly prepared to detect, respond, and recover before the damage becomes irreversible.

 

 

Cybersecurity resilience begins with awareness, but awareness alone is insufficient. Organisations often invest heavily in technology, implementing firewalls, endpoint detection, SIEM platforms, and more. Yet, a significant number of breaches still originate from human error — often due to a lack of training, unclear responsibilities, or poor cyber hygiene. Verizon’s 2024 Data Breach Investigations Report highlighted that over 74 per cent of breaches involved the human element — errors, social engineering, or misuse. This statistic underscores the urgent need for a cultural shift toward shared cybersecurity responsibility across all levels of an organisation.

 

 

 

Cybersecurity is everyone’s job. From the boardroom to the breakroom, responsibility must be embedded into organisational DNA. Boards are responsible for strategic oversight and must ensure cybersecurity is aligned with business objectives. CISOs should not be relegated to technical reporting; they must be empowered to drive governance-first, risk-aware approach. IT and security teams execute the technical defence, but they cannot operate in isolation. Every employee is a potential target — and also a potential shield. Whether recognising phishing emails or reporting suspicious activity, employees form the critical first line of defence.

 

 

Vendors, partners, and third-party service providers also play a crucial role. In a world of interconnected digital supply chains, one weak link can compromise an entire ecosystem. According to Gartner, by 2025, 60 per cent of organisations will use cybersecurity risk as a primary determinant in third-party transactions and business engagements. Regulators, too, have a part to play by establishing clear cybersecurity standards and ensuring enforcement with a focus not just on compliance but on resilience.

 

 

Accountability starts with asking the right questions. Is the board embedding cybersecurity into business strategy or treating it as a compliance checkbox? Is the CISO focusing on building a strong security culture or merely accumulating tools? Are backups tested and incident response plans rehearsed regularly by IT teams? Are employees trained continuously and empowered to act? Are vendors reviewed for security risks, and is regulators actively promoting cyber maturity beyond basic enforcement? These are not theoretical questions — they are the foundation of a resilient cybersecurity posture.

 

 

 

This reflection must extend beyond roles to a deep organisational introspection. Do we conduct simulated phishing or breach attempts to test our readiness, or do we wait for the real incident to expose our vulnerabilities? Is our incident response a living, adaptive process, or just a document sitting on a shelf? Do we analyse insider threats, review third-party risks, and foster a security mindset across departments — or are these tasks relegated to audits and IT checklists?

 

 

 

Despite much advancement, several key gaps remain. There is often a lack of cybersecurity awareness at all levels. It is not uncommon to see a well-informed board paired with uninformed frontline staff, or vice versa. This imbalance can be dangerous. Moreover, there is a persistent misalignment between business and IT. Cybersecurity must be recognised not as an IT cost centre but as a business enabler. Leaders must demonstrate proactive ownership, acting before breaches occur rather than reacting afterwards. And perhaps most critically, organisations must move from checklist compliance to a model of true resilience — where continuous improvement, behaviour change, and adaptive strategies drive security maturity.

 

 

 

Shifting from a ‘good’ cybersecurity culture to a ‘great’ one involves rethinking the fundamentals. Good organisations have tools; great ones use them effectively. Good organisations conduct annual training; great ones simulate real-world attacks monthly. Good organisations maintain policy documents; great ones embed policy into behaviour. Good organisations are IT-driven; great ones have board-level engagement. Good organisations rely on occasional audits; great ones embrace continuous monitoring. The difference may seem subtle — but in times of crisis, it’s this difference that defines survival.

 

 

 

To support this shift, we advocate for the AWARE model — a practical framework for cyber resilience. It stands for Assess, Watch, Act, Review, and Educate. First, organisations must assess their assets and threat landscape. Knowing what you have and what risks you face is the foundation of any strategy. Second, they must watch continuously — monitoring vulnerabilities, suspicious behaviour, insider activity, and third-party exposures. Third, they must act decisively. Detection is not enough; response and mitigation are where resilience is built. Fourth, they must review their readiness through audits, simulations, and exercises. Finally, they must educate — not once, but continuously. Because at the end of the day, it is people, not tools, who click phishing links or prevent them.

 

 

 

Bangladesh offers a unique opportunity in this global cybersecurity evolution. With over 130 million internet users and Tk17.37 trillion in mobile financial transactions recorded in 2024 alone (Bangladesh Bank, BTRC), the nation is rapidly digitising. Fintech, healthtech, and edtech sectors are booming, powered by a young and tech-savvy population. This is both strength and a challenge. As digital adoption rises, so does cyber risk. There is an urgent need to develop the cybersecurity ecosystem — through capacity building, national awareness campaigns, private sector partnerships, and global best practices. This includes fostering local talent, incentivising secure digital innovation, and building regulatory frameworks that promote maturity, not just compliance.

 

 

Ultimately, cybersecurity is not a one-time project. It is a shared commitment that must evolve with time. Boards must stop seeing security as a sunk cost and start treating it as a driver of trust and long-term value. CISOs must rise from the server room to the strategy room. Employees must be empowered, not blamed. Regulators must go beyond fines and foster accountability. And the media, academia, and society at large — all must play a part in shaping the narrative.

 

 

 

Cybersecurity is not just about protecting data — it is about protecting livelihoods, economies, and trust. As threats grow more sophisticated, our defences must become more resilient, adaptive, and collective. The future of digital progress depends on this.

So let us ask again — sincerely and urgently — are we truly doing our part?

 

BM Zahid ul Haque is an experienced CISO and global cyber digital transformation adviser