Curiosity Is a Security Control: Why the Most Expensive Tool in Cyber Security Is Free
I have spent the past week talking about Clifford Stoll, logging, the DSIT survey, helpdesk social engineering, and the specific steps a small business can take to detect problems before they become catastrophes. All of it important. All of it practical. All of it, in the end, secondary to a single idea that the cyber security industry will never sell you because there is no margin in it.
Curiosity is a security control.
What Vendors Will Not Tell You
The cyber security industry is worth billions globally. It sustains itself by making business owners feel afraid and then offering to sell the antidote. Every product launch comes wrapped in a threat report. Every vendor event opens with a frightening statistic. The implicit message is always the same: you are helpless without us.
It is not true.
The most effective security stories I have encountered in 25 years of this work do not start with a product deployment. They start with a human being noticing something odd and refusing to let it go.
A finance controller notices a £12 discrepancy in a supplier payment and discovers a compromised account being used for invoice fraud. An office manager wonders why the network printer is active at midnight and finds a device that has been added to the network without authorisation. A director checks their email settings after reading an article about mail forwarding attacks and discovers a rule they did not create, forwarding all incoming mail to an external address.
None of these people had formal security training. None of them were running a SIEM or subscribing to a threat intelligence feed. They had curiosity. They noticed something that did not fit the pattern. And they acted on it instead of shrugging.
Why the Industry Ignores It
Curiosity cannot be productised. You cannot license it per seat. You cannot wrap it in a subscription and sell it annually. You cannot audit it during a compliance assessment or check for it on a Cyber Essentials application form.
It is a mindset, not a feature. And because it is a mindset, the industry that exists to sell features has no commercial interest in promoting it. A vendor that told customers “your biggest defence is paying attention to what looks wrong” would be undermining its own sales pipeline.
Consultancies have the same problem. If the answer to “how do we improve our security?” is “encourage your team to ask questions when things look odd”, that does not generate a six-month engagement with a hefty fee attached. So the answer becomes a 47-page risk assessment, a maturity model, and a transformation roadmap that nobody will finish implementing.
I am not saying products and frameworks are worthless. Firewalls matter. MFA matters. Endpoint protection matters. Cyber Essentials is useful. But all of these are passive defences. They sit in place and do their job until they do not. When they fail, and they will fail, the next line of defence is a person who notices.
The Cuckoo’s Egg Lesson
Clifford Stoll’s entire investigation, the one that uncovered a KGB spy ring operating through a California research lab, started because he refused to accept that a 75-cent billing discrepancy was too small to matter.
His colleagues wanted to write it off. The FBI was not interested. Multiple government agencies declined to help. Everyone around him thought he was wasting his time on a rounding error.
He was not. That rounding error was Markus Hess, selling stolen US military intelligence to Soviet intelligence. Stoll caught him not because he had superior technology (he had printouts and a homemade beeper), but because he had superior curiosity.
The lesson is not that every anomaly will lead to a spy ring. Most anomalies have mundane explanations. The lesson is that the habit of checking, of asking “why does that not look right?”, is the habit that catches the ones that are not mundane. You cannot know in advance which anomaly matters. You can only decide whether you are the kind of organisation that checks, or the kind that shrugs.
The DSIT Survey in One Sentence
The Cyber Security Breaches Survey 2025/2026 tells us that 43% of UK businesses experienced a breach or attack in the past year, that the rate has barely moved in three years, and that the cost when it happens is rising.
I can summarise the entire survey in one sentence: most UK businesses are not paying attention to their own systems.
Not because the tools are unavailable. The logging capabilities in Microsoft 365 and Google Workspace are free and built in. Not because the guidance does not exist. The NCSC has been publishing clear, actionable advice for years. But because nobody in the organisation has the habit, the encouragement, or the time to look at what is happening and ask whether it is normal.
That is not a technology problem. It is a culture problem. And culture problems do not get solved by buying another product.
What Curiosity Actually Looks Like in Practice
It looks boring. That is the point.
It is the director who spends ten minutes on Tuesday morning scanning the week’s sign-in activity for anything unusual. It is the office manager who asks the IT provider why a particular device is generating traffic at 3am. It is the finance team who questions a supplier invoice that is slightly different from usual: a new bank account number, a different email format, an amount that is close to the normal figure but not exactly right.
It is also the organisational culture that makes these questions welcome rather than annoying. If a staff member who reports something suspicious gets told “don’t worry about it” or “that’s not your job”, they will stop reporting. If they get thanked, even when it turns out to be nothing, they will keep watching.
Stoll was the annoying person at Lawrence Berkeley Lab. He was the one who kept chasing a 75-cent error when everyone else wanted to move on. Be the annoying person. Encourage your team to be the annoying person. It is the cheapest security investment you will ever make.
How to Turn This Into a Competitive Advantage
A business that can demonstrate a culture of vigilance, where staff are encouraged to report anomalies and management responds to them, is a business that clients and partners can trust. In supply chain assessments, tender responses, and client onboarding conversations, the ability to say “our team is trained to question anything that looks unusual, and we have a process for escalating concerns” is a differentiator.
You cannot buy that reputation. You build it by doing the work.
How to Sell This to Your Board
The argument is simple. Every expensive cyber incident in recent memory, M&S, Co-op, SolarWinds, the Log4Shell crisis, involved a period where the signs of compromise were visible in logs or behaviour but were not noticed. Early detection reduces cost, reduces damage, and reduces regulatory exposure. The cost of implementing a curiosity culture is zero. The cost of not having one is measured in millions.
Sources
| Source | Article |
|---|---|
| Wikipedia | The Cuckoo’s Egg (book) |
| DSIT / Home Office | Cyber Security Breaches Survey 2025/2026 |
| NCSC | Introduction to Logging for Security Purposes |
| The Record (Recorded Future) | M&S Confirms Customer Data Stolen |
| Security Affairs | Financial Impact of M&S and Co-op Cyberattacks |
Related Posts: