By Shruti Menon Seeboo
In 2026, the digital perimeter has shifted from the server room to the social engineering of the individual. As simple phishing evolves into the era of autonomous AI agents capable of conducting multi-step deceptions, the core of the battle is no longer just technological—it is a contest of speed, scale, and human psychology. Neil Hare-Brown, CEO of STORM Guidance, suggests that while AI is driving these scams, the primary advantage for modern attackers lies in “quality/believability (especially multi-language), speed and scale.” This new reality, he argues, “places individuals at greater risk of falling victim and it is more important than ever for service providers (financial, telecoms, legal, government) to both detect and prevent such scams, through technology and awareness campaigns.”
However, Hare-Brown posits a contrarian view on how to survive an attack moving at machine speed. While the instinct is to fight AI with more AI, the real vulnerability often lies in the friction—or lack thereof—in business operations. “The interesting thing is that many processes under attack that drive higher value transactions, require more sophisticated deception and tightening up on those processes (an area where we often help clients) can significantly reduce the risk of loss,” he notes.
This focus on process is particularly acute in Mauritius, which serves as a vital investment corridor for Africa and Dubai. The island has seen its financial services industry come under increasing pressure over the past two years, with a rise in ransomware and payment diversion fraud. According to Hare-Brown, these are rarely purely technical failures. Instead, “attackers are looking for victim organisations who have weak cybersecurity, procurement, client management, and payment processes. Criminals try to attack process—more than technology and people—because they know that is where mistakes are made.”
Despite the legislative progress of the Cybersecurity and Cybercrime Act, Hare-Brown believes a chasm remains between legal requirements and technical reality. When asked if local firms are truly ready for a “Day Zero” event, his assessment is blunt: “Absolutely not. Unfortunately, Mauritius is no different from many other countries, where the laws are largely in-place but they are not enforced in such a way that they are sufficiently respected and observed.” He suggests that while the Act is a welcome update, the real turning point will be the “supportive initiatives such as the formation of the National Crime Agency and within that the National Computer Crime Unit that will make a difference. In addition, further support for Data Protection Law, the DPO and her Office will also help to ensure businesses and citizens manage sensitive personal data securely and responsibly.”
The global conversation often turns to whether governments should act as a “reinsurer of last resort” as cyber risks become systemic. Hare-Brown remains sceptical of a state-funded safety net, noting that the cyber insurance markets in the US and Europe are currently soft and competitive, gradually driving the “availability of affordable cover in the Africa region generally and in Mauritius specifically.” Regarding government intervention, he points out that “most governments would simply not have the capital to support an effective safety net. As a result, a much better strategy is to enact laws that mandate effective baseline cybersecurity. At present this has only been done on a piecemeal basis and is not adequate to address the risk. The carrot approach followed for decades has not worked. Governments who are bold will need to support a mandatory approach if they want to make their countries resilient to cybercrime.”
This drive for resilience also requires a fundamental re-evaluation of how boards measure security. Many leaders take comfort in extensive vulnerability management programmes, but Hare-Brown views these as potential red flags. “At first sight one would consider this to be a very good thing… however, executives need to ask whether this indicates a lack of investment in technology. Ideally, all organisations should only be operating digital technologies that are at current versions (or worst-case, immediately previous versions). A simple patching regime can then be operated. In short, complex vulnerability management is a sign of legacy technology and one mistake can result in catastrophe.” Similarly, he warns that the traditional safety of “air-gapping” industrial systems is becoming a myth: “This is increasingly hard to do effectively as many pressures (mostly from technology providers) seek to encourage or require connectivity and information sharing. Whilst highly competent professionals can still protect such environments it is a real challenge and a potential red flag.”
To combat these systemic weaknesses, STORM Guidance is “working with the government to introduce a new cybersecurity certification scheme. This will really help with overall resilience of many Mauritian organisations.”
The human element remains the greatest variable, especially as Mauritius navigates a talent shortage. While AI-driven security tools offer some relief, Hare-Brown insists they are not a silver bullet. “I do not believe AI-driven security tools will be the complete answer. They are already helping to some degree but are not currently designed for the ‘bigger picture’ of cyber risk management. They need the human expertise to manage them effectively.” The solution to the “brain drain” may be more cultural than technological. “If Mauritius focuses on effort to attract in excellent mentors (many of whom would love what a progressive society has to offer), then this will help to retain young talent. The promise of AI is actually not technological but cultural. This is why Mauritius is ideally placed as a showcase for secure, next-generation resilience.”
Ultimately, the responsibility for this resilience rests at the top. He says, “There are a growing number of commercial liability actions, especially in the US and Europe and because Mauritius is a services hub for clients in these regions it may expose providers here to legal action for losses due to cyber incidents.” For any board member looking to protect their organisation, Hare-Brown offers one definitive question to ask their CISO (if they have one, since “few Mauritian businesses do”): “Are we providing you with enough resources and support to render us resilient to most cyberattacks?”
