5 Common Cybersecurity Mistakes Employees Make

Human vulnerabilities will always be every company’s biggest cybersecurity threat. Despite this, many companies focus solely on securing systems and networks. This approach does not account for the fact that humans are the most common and efficient way for cyber criminals to attack businesses.

One of the best ways companies can address human vulnerabilities is by creating a culture of cybersecurity awareness among employees. Here are five common cybersecurity mistakes employees make and strategies employers can take to address these risks.

1. Reusing Passwords Across Multiple Accounts.

Why It’s Risky:
Password reuse is one of the most common online mistakes, yet it remains prevalent among employees across various industries. We recently conducted a survey and found that 77% of information security professionals believe their employees reuse passwords very often. Only 5% indicated it’s rare and  6% said it never happens. This widespread reuse creates situations where a single compromised password can open doors to multiple personal and professional accounts, especially if a breached password is used for both.

How It Impacts Company Security:
When employees reuse passwords, a breach on one site could give hackers access to sensitive company systems if the same credentials are used for work accounts. This can lead to data loss, unauthorized access to critical systems, and even data compliance and regulatory issues if sensitive customer data is involved.

The Fix:
Encourage employees to use unique passwords for each account, ideally with the help of a password manager. Password managers generate and store complex passwords securely, reducing the risk of password-based attacks across accounts.

2. Oversharing Online.

Why It’s Risky:
Seemingly innocent posts about work life, job roles, or location can be a goldmine for cybercriminals specializing in social engineering and phishing attacks. Oversharing on platforms like LinkedIn or Facebook can reveal sensitive details, such as job titles, project involvement, or personal identifiers.

How It Impacts Company Security:
Hackers often use social media to gather information on employees, crafting highly personalized phishing attacks to access confidential systems and information. For instance, a post mentioning a big project could signal to an attacker the potential for a targeted attack, such as pretending to be a supervisor requesting data access.

The Fix:
Employees should avoid sharing Personally Identifiable Information (PII) and specific job details or project names online. Employers must emphasize the importance of strict privacy settings and, if possible, provide social media guidelines that outline best practices for online interactions.

Access our Digital Footprint Checklist for Employees for actionable steps employees can take to reduce their digital footprint risk.

3. Failing to Enable Multi-Factor Authentication (MFA).

Why It’s Risky:
Multi-Factor Authentification (MFA), often called Two-Factor Authentification (2FA), adds a layer of protection by requiring an additional verification step when logging into accounts. By relying on passwords alone, employees leave their accounts vulnerable to unauthorized access, especially if a password is weak or has been compromised in a previous breach.

How It Impacts Company Security:
Without MFA, a breached password can give attackers immediate access to sensitive data – from confidential company files to customer data. In the wrong hands, this data can be used to harm the business, damage its reputation, and disrupt operations.

The Fix:
Companies should require MFA for all employee accounts that have access to company resources and information. When possible, use MFA apps (i.e. Google Authenticator) that provide temporary codes over SMS-based verification, as they are generally more secure.

4. Ignoring App Permissions and Downloading Unverified Apps.

Why It’s Risky:
Downloading apps without verifying their legitimacy or reviewing permissions can expose personal information and sensitive data. Some apps request excessive permissions, like access to contacts, location data, or even the microphone and camera, which can be used maliciously if the app is compromised.

How It Impacts Company Security:
Malicious apps can collect data from personal and work devices, potentially leading to leaks of confidential information. For instance, a compromised app might gain access to contact lists or emails, which attackers could use to spread malware or phishing scams within the company.

The Fix:
Encourage employees to download apps only from verified sources, such as official app stores, and review permissions before installation. Ideally, limit work-related tasks to secure, company-approved apps and restrict permissions on personal devices where possible.

5. Using Public Wi-Fi Without Proper Security Measures.

Why It’s Risky:
Public Wi-Fi networks are insecure and often lack the robust protections found in private networks. When connected to these networks, any data transmitted—such as login credentials, emails, or other sensitive information—is vulnerable to interception by cybercriminals. Attackers on the same network can easily exploit weaknesses, putting users at risk for data leaks, unauthorized access, and potentially severe breaches that can compromise not only personal information but also sensitive corporate data.

How It Impacts Company Security:
When employees connect to company resources over public Wi-Fi, they risk exposing sensitive information to hackers. Attackers on the same network can capture login credentials, access confidential emails, or even compromise entire systems if they gain access to the right data.

The Fix:
Instruct employees to avoid accessing company resources or sensitive information on public Wi-Fi networks. If they must use public Wi-Fi, they should connect through a reliable Virtual Private Network (VPN), which encrypts their internet connection and adds a layer of security against data interception.

Access our Digital Footprint Checklist for Employees here.

Creating & Maintaining Employee Cybersecurity Awareness.

By addressing these common mistakes and emphasizing safe online practices, companies can empower their employees to contribute to a safer digital environment for both themselves and the organization. While individual actions may seem minor, they can have a cumulative impact on the company’s overall security. Fostering a culture of digital awareness and providing employees with the knowledge they need to minimize their risk can drastically reduce the chances of your company experiencing a costly cybersecurity incident.