Your Most Experienced Staff Are Your Best Cyber Defense. (You Just Need to Update Their Playbook.)

Written By Marco Lam

by Marco Lam, CISSP

As a middle manager, you’re responsible for some of the most valuable assets in this company: your people. In particular, your mature, experienced staff. These are the employees who have built their careers on process, common-sense, and a deep-rooted sense of loyalty. They get the job done.

But you’re also told, repeatedly, that these same loyal employees are a major cyber risk. They may be less digitally native, perhaps a bit more set in their ways, and more trusting of a request that "looks" official.

So how do we bridge this gap? How do we enhance the cyber awareness of our most experienced team members without making them feel patronized?

The answer is to reframe the discussion. This isn't about scary hackers or complex technology. It’s about Risk Management—a concept your team already understands better than anyone.

And the new "rulebook" for this risk is being written by global regulations. Let's look at three big ones—GDPR, APPI, and the MAS Notices—and see what they really mean for you as a leader.

The New Business Rules: What Do These Laws Really Mean?

When I train teams, I don't focus on the legal jargon. I focus on the core principle. These laws, from Europe, Japan, and Singapore, are not IT checklists. They are powerful statements about how a professional business must operate in the 21st century.

  1. GDPR (European Union): It’s About Customer Respect. At its heart, the GDPR is about protecting an individual's fundamental right to privacy. For your team, this isn't a new idea. It’s an extension of the customer service ethos they’ve practiced for decades. Just as you wouldn't shout a customer's personal details across a crowded bank lobby, you don’t leave their data unprotected on a server. It’s that simple.

  2. APPI (Japan): It’s About Structured Process. Japan’s APPI, much like the country's legendary business philosophies, is built on having clear, structured, and appropriate processes for handling information. It mandates taking "necessary and appropriate security control measures." Your experienced staff built their careers on process. This is their language. They just need to understand the new security steps that are now part of that process.

  3. MAS Notices (Singapore): It’s About Urgency & Resilience. The Monetary Authority of Singapore (MAS) gives us the most powerful training tool of all: the 1-Hour Reporting Rule. If a major security incident happens, the bank must notify the MAS within one hour. This single rule changes everything. It reframes "cyber awareness" from a passive "don't click" activity to an active, urgent responsibility.

The "Loyalty & Logic" Trap

Here's the paradox: the very traits that make your mature staff excellent employees—their loyalty, their desire to be helpful, and their trust in authority—are the exact levers attackers pull.

Think about the most dangerous scams:

  • An urgent email from the "CEO" (exploiting authority).

  • A frantic call from "IT Support" (exploiting helpfulness).

  • A "missed invoice" from a known vendor (exploiting process-driven habits).

Your team isn't falling for these because they lack intelligence. They’re being targeted because their common-sense rules for trust haven't been updated for a world where trust can be faked in an instant.

How to Lead: 3 Ways to Update the Playbook

As their manager, you are the most credible person to deliver this message. Here’s how you frame it.

1. Reframe "Cyber Security" as "Business Risk." Stop using IT jargon. Start using the language of your team: risk, continuity, and process.

  • Instead of: "We need to prevent phishing to stop malware."

  • Say: "We must verify suspicious requests to prevent a data breach that could cost us a multi-million dollar fine, as required by the PDPA."

2. Champion the "Productive Pause." Your most experienced staff already believe in "measuring twice and cutting once." Apply this same wisdom to the digital world.

  • Say: "An attacker’s greatest weapon is urgency. Your greatest defense is the 'pause.' A legitimate request from me, or any senior leader, will always survive a 5-minute verification call. I expect you to make that call."

3. Make Reporting a 'No-Blame' Priority. Many experienced employees fear "looking foolish" or "getting in trouble" for clicking a link. This hesitation is our single biggest liability.

  • Use the 1-Hour Rule: "Because of the MAS 1-hour reporting rule, the only mistake you can make is reporting too late. If you click something and feel that 'sinking' feeling, I need you to call the security hotline in the next 60 seconds. Reporting it fast is your primary job—it’s not a mistake, it’s the correct final step of the process."

Your team’s experience isn't a liability; it’s your best asset. They already have the critical thinking skills. Our job as leaders is to simply update their playbook, giving them the confidence and the tools to apply their hard-won wisdom to this new digital risk.

Marco Lam
Previous

Mind the Gap: Equity, Power, and the "Pulley of Inquiry" in the Mparntwe Declaration
Next

You Clicked the Link. Now What? A Calm, Confident Guide to "What to Do Next."