Before you worry about AI threats, fix your security fundamentals
Most cyber breaches aren’t driven by advanced AI - they’re caused by basic failures like exposed cloud storage and poor data governance. It’s time to refocus on cybersecurity fundamentals.
There’s a lot of noise right now about AI-powered cyberattacks. And yes, attackers are absolutely using AI to scale phishing, automate reconnaissance, and improve social engineering. And even I was writing about it the other day. But if you spend any time looking at real-world breaches, a more uncomfortable truth emerges: most organisations aren’t being hacked with sophisticated AI - they’re being compromised through basic, preventable failures.
A recent post from This Week in Security makes the point starkly. It is still “far too easy to find leaked passports and driver’s licenses online”. Not because attackers are deploying cutting-edge techniques, but because sensitive data is sitting in publicly accessible storage - unsecured cloud buckets, misconfigured databases, and poorly governed systems.
This isn’t a story about advanced adversaries. It’s a story about neglected fundamentals. We continue to see the same patterns:
- Publicly exposed S3 buckets and cloud storage.
- Weak or absent access controls.
- Poor data classification and ownership.
- Lack of monitoring on sensitive data repositories.
- Credentials and keys left in code or configuration files.
None of this requires AI to exploit. It barely requires skill. It requires curiosity and a search engine.
Reality of cyber risk
The uncomfortable reality for boards and executives is that cyber risk is still, overwhelmingly, an operational discipline problem rather than a technological arms race. Organisations are investing heavily in advanced detection tools, AI-enabled security platforms, and threat intelligence feeds - yet failing to enforce basic hygiene. It’s the equivalent of installing a state-of-the-art alarm system while leaving the front door wide open.
From a governance perspective, this is where the focus needs to shift.
Core operational capabilities
Cyber and information security fundamentals are not “entry level” concerns to be delegated and forgotten. They are core organisational capabilities that require continuous attention:
- Do you know where your sensitive data actually resides?
- Is it classified appropriately?
- Who has access, and why?
- Are your cloud environments routinely audited for misconfiguration?
- Is there clear accountability for data stewardship?
If you can’t answer these questions confidently, then no amount of AI-driven security tooling will save you.
There’s also a broader issue of incentives and attention. Advanced threats are interesting. They make for compelling board papers and conference presentations. Fundamentals are not. They are repetitive, procedural, and often invisible when done well. But they are precisely what separates resilient organisations from those that end up in breach notifications and regulatory investigations.
The rise of AI in cyber operations should not distract us from this. If anything, it raises the stakes. AI lowers the cost of scanning the internet for exposed assets. It accelerates the identification of weak points. It increases the speed at which simple mistakes are exploited at scale.
Which means that the organisations still getting the basics wrong will be found faster - and compromised more often.
The lesson here is not to ignore AI in cybersecurity. It is to put it in perspective. The most effective way to reduce cyber risk today is not to chase the latest technology trend, but to rigorously enforce the fundamentals:
- secure your data,
- lock down your environments,
- monitor your assets, and
- assign clear accountability.
Because right now, attackers don’t need to be clever.
They just need you to be careless.
