This article is based on an interview with Damien Mallon, Senior Systems Engineer at Datapac, originally published in the Business Post as part of their Focus on Managed ICT Services report in April 2026. Read the original article here.
AI adoption is accelerating across every sector. From a cybersecurity perspective, what is the most consequential thing happening right now that business leaders are not paying enough attention to?
The gap between the pace of AI adoption and the pace of security preparedness. Most organisations are moving quickly to introduce AI tools because the competitive pressure to do so is real and, in many cases, justified. What is not keeping pace is the governance, the access controls and the oversight needed to do that safely. That is where exposure is growing.
The more visible part of this is what practitioners call shadow AI. In most organisations, employees are already using AI tools that have not been approved or governed by IT. They are summarising internal documents on consumer platforms, pasting client data into public chatbots, and using tools that may be feeding that content into training models. The organisation typically has no visibility into any of this, and the scale of it tends to surprise leadership when it is first surfaced.
The less visible part concerns AI agents: tools that do not just respond to prompts but take actions, connect to systems, read files and send communications autonomously. As organisations begin deploying these inside their environments as part of an official AI strategy, the question of access becomes important. An AI agent should be subject to the same scrutiny as a new hire or a third-party contractor, with clear limits on what it can access and who is accountable for what it does. Those conversations are not happening consistently enough.
There is clearly pressure on organisations to move quickly on AI. Is it fair to say that urgency is creating cybersecurity risk?
It is a fair observation, though the urgency itself is not the problem. Organisations that delay AI adoption risk losing ground to competitors who are using it to move faster and serve customers better. The pressure to show progress is real and boards are right to take it seriously.
Where it becomes a concern is when AI is treated purely as a productivity initiative, with security considerations to follow later. That sequence tends to create problems that are much harder to resolve after the fact. Once sensitive data has been processed through an ungoverned system, the exposure has already occurred.
The organisations managing this well are taking a staged approach: establishing governance and access controls before broad rollout, running structured pilots to understand both the use cases and the risks, and being clear internally about which tools are sanctioned and which are not. That is not a slower path to AI adoption; it is a more sustainable one. The question worth asking at board level is not whether to adopt AI, but whether the organisation has a clear view of the cybersecurity risks it is creating in the process, and a plan to manage them.
Beyond AI, what are the broader cybersecurity threats that should be front of mind for business leaders managing hybrid workforces?
Identity sits at the top of that list. Corporate identities, meaning email accounts, cloud accounts and administrative credentials, have become the primary target for attackers. Compromising a legitimate identity gives an attacker the access and trust associated with that account, without triggering the kind of alerts that more aggressive intrusion methods would.
Hybrid working has made this harder to manage. When a workforce is distributed across home networks, shared spaces and personal devices, the traditional security perimeter largely disappears. The identity becomes the perimeter, and in many organisations it is still not being protected with the rigour that warrants.
The practical response involves a combination of measures that are well understood but not yet universally applied: multi-factor authentication as a baseline, zero trust principles that treat every access request as potentially untrusted regardless of origin, monitoring for unusual sign-in behaviour, and restricting privileged access to those who genuinely need it. None of these are new, but the gap between knowing they are necessary and having them properly in place remains wider than most organisations would be comfortable acknowledging.
Security and productivity are often described as being in tension. How should organisations think about that balance?
The tension is real, but it can be overstated. Stronger security controls do introduce friction, and that is worth acknowledging. Additional authentication steps, access restrictions and monitoring all create overhead that employees notice. Designing controls that are as seamless as possible, rather than bolting them on as an afterthought, makes a meaningful difference to how well they are adopted in practice.
The more important point for leadership is that the cost of a serious incident typically far outweighs the cost of prevention. A breach does not just carry a financial penalty. It disrupts operations, consumes senior management attention for an extended period, and in some cases affects customer relationships in ways that take years to repair. Framing cybersecurity investment as a constraint on productivity misses that broader picture.
There is also a human dimension that does not get enough attention. Employees who find security controls too burdensome will find ways around them, which tends to create more risk than the controls were designed to prevent. Building a culture where people understand why the controls exist, and where reporting a suspicious incident is encouraged rather than penalised, is at least as valuable as the technical measures themselves. That kind of culture takes time to develop, but it makes the whole security posture more resilient.
IT budgets are under significant pressure. How should organisations approach cybersecurity investment to make sure they are getting genuine value?
The starting point is an honest assessment of what controls are currently in place and whether they map coherently to the risks the organisation actually faces. A recognised framework like NIST is useful here because it covers the full lifecycle, from identifying risks through to recovery, and it provides a structure for identifying both gaps and areas where investment is duplicated.
Duplication is more common than most organisations realise. Security tooling tends to accumulate over time, with products purchased in response to specific concerns at different points, and the result is often a collection of solutions with significant overlap. That complexity consumes budget and operational attention without delivering proportionate protection. Consolidating on fewer, better-integrated tools is often the most direct way to reduce cost and improve visibility at the same time.
It is also worth examining what is already available within existing investments. Microsoft Business Premium, for example, includes Defender and a range of security controls that, when properly configured, can replace point solutions organisations are paying for separately. Getting more from what is already in place before committing to new expenditure is sound practice. The objective is not to spend more on cybersecurity; it is to ensure that what is being spent is actually reducing risk in a demonstrable way.
If a business leader takes one thing from this conversation, what should it be?
That the decisions being made right now about AI adoption will shape the cybersecurity posture of their organisation for years. Getting governance right at the outset is significantly easier than trying to retrofit it after something has gone wrong, and the window to do so is narrower than many organisations appreciate.
Cybersecurity has shifted from being a technical function with a technical owner to a business risk with board-level consequences. The financial, operational and reputational exposure from a serious incident is now substantial enough that it belongs in the same category as other material risks that boards are expected to understand and oversee. That does not require technical expertise, but it does require asking the right questions and holding the organisation to a reasonable standard of evidence about its own preparedness.
The organisations in the strongest position tend to be those where that conversation is already happening at the top. Not because they have spent the most or adopted the most tools, but because leadership is genuinely engaged with the question of risk and expects clear answers. That engagement, more than any individual control or platform, is what determines how well an organisation responds when something goes wrong.