Baker Tilly Channel Islands
Close
Philipp katzenberger i I Jr Uoe Ro CQ unsplash
News and Insights

Building Human Firewalls: Lessons from the CIISF Cyber Security Conference 2025

Gerrit Heyneke Oct 21, 2025
Insight
Business and Regulatory Advisory

Last week, I attended the annual CIISF Cyber Security Conference in Jersey, an event that brought together thought leaders, regulators, and innovators from across the Channel Islands. This is a highlight for me each year. The Channel Islands Information Security Forum does an excellent job and at £25 a ticket, the value was exceptional. The discussions were sharp and thought provoking. As we start living in this AI era, the message was clear: true cyber resilience depends not only on technology but on the people in our organisation.

While many organisations focus heavily on prevention and detection, the reality is that resilience begins with human behaviour. Systems and firewalls are important. But the best protection still comes from an empowered workforce that questions what’s in front of them and responds with awareness.

One of the stories shared at the event captured this perfectly. During a red-team exercise, a tester exploited a system flaw on a promotion page by ordering fifty items when only one should have been allowed. The system failed to stop the attack, but the person packing the order noticed and said, “We only do one per box, so suck it, I’m just sending one.” It was a perfect reminder that human common sense can outsmart digital loopholes.

The Security Paradox

Another point that stuck with me was during the session on supply chain management and third-party risk. I couldn’t help but draw a parallel between the explanation of the security paradox and what we’re witnessing in the audit landscape across the Channel Islands.

Over time, organisations often fall into a familiar circular trap.

When controls and security measures work effectively, incidents decline, and success breeds complacency. Teams begin viewing these safeguards as bureaucratic burdens rather than critical defences, gradually loosening or bypassing them. This false sense of safety erodes vigilance, creating openings for bad actors or systemic weaknesses to resurface. In essence, when security works too well, people forget why it mattered, until it’s too late.

In our audit profession, we’re seeing a similar pattern: a reduction in required audits, trust structures not mandating independent reviews and trustees increasingly carrying risk alone. With the new Jersey Private Fund (JPF) requirements further reducing audit involvement, there’s an uncomfortable parallel. Removing oversight might make things seem efficient, but it doesn’t make them resilient. When fewer eyes are reviewing the systems, undetected risks can quietly grow.

My Six Key Lessons on Resilience

This year’s conference featured an exceptional line-up of six speakers, each offering a unique perspective on resilience and keeping this Nerdy brain thoroughly engaged:

  1. Visibility builds trust; You can’t manage what you can’t see. Hidden dependencies across suppliers or systems create blind spots that undermine resilience.
  2. People are part of the system. Social engineering remains one of the most effective attack vectors because it targets behaviour, not hardware.
  3. Insiders matter. Not every incident comes from malice — fatigue, distraction, or poor training can cause just as much damage.
  4. AI changes the game. Deepfakes and synthetic voices are redefining identity and authenticity. Robust authentication and staff awareness are non-negotiable.
  5. Adaptability beats perfection. You’ll never avoid every strike. The goal is to learn, adapt, and recover faster than the threat evolves.
  6. Test your AI, then govern it. Don’t assume automation equals safety. Every tool needs continuous oversight, clear rules, and human judgment.

Building Resilience: People First, Always

The overarching message for me was that cyber resilience begins in person, not just online. While AI tools, monitoring systems, and new regulations like DORA all play vital roles, the real differentiator lies in cultivating an empowered, vigilant, and informed workforce.

Open conversations and live simulations remain some of the best training investments a firm can make.

At Baker Tilly Channel Islands, we’ll continue integrating this human-first approach into our governance, training, and service delivery. For our clients, we’ll also continue advocating for collaboration with island professionals, particularly through the Jersey Cyber Security Centre and their Jersey Cyber Shield initiative, which is doing outstanding work to safeguard the Island’s digital future.

The CIISF conference reminded me that resilience isn’t a static target, it’s a shared culture. In an age where AI can now make Will Smith eat spaghetti, human awareness, logic and ethical leadership remain irreplaceable.

With cyber awareness front of mind this time of year, it’s an ideal opportunity to strengthen your control environment.
Our IT Audit team can help you test and enhance it; reach out and we’ll connect you to the right specialist.
Contact Gerrit
Photo of Gerrit Heyneke
Gerrit Heyneke
Associate Director
View profile

Related content

Insight Business and Regulatory Advisory
What’s Next for Sustainable Finance? Key Takeaways from Jersey Finance’s Summit
Gerrit Heyneke Mar 13, 2025
Insight Business and Regulatory Advisory
Preparing for the Future: The Importance of Sustainability Reporting
Gerrit Heyneke Jan 6, 2025
Insight Business and Regulatory Advisory
Do I Need a Service Organisation Controls Report?
Hafeez Azeez Oct 11, 2024
Insight Business and Regulatory Advisory
Business recovery: Transparency is key
May 12, 2020
Insight IT Advisory & Assurance
From experimentation to integration: turning AI into a competitive advantage
Hafeez Azeez Apr 30, 2025
Blog
A Masters Moment to Remember
Ewan Spraggon Apr 15, 2025
Get in touch with us today
We're here to help
Contact us