Employees are often the first line of defence against cyberattacks – but they can also be the weakest link. Their lack of awareness, carelessness or inappropriate behaviour can lead to serious security incidents. Here’s a list of the most common mistakes employees make and how to avoid them.
IT security is now of key importance for every business. However, a little moment of carelessness can result in data loss or privacy breaches, which often open the door to cyberattacks.
“Technologies and processes can help minimise risks, but if they’re not properly implemented or configured, the space for human error increases – along with the risk of a security breach,” explains our colleague Petr Kocmich, Global Cyber Security Delivery Manager.
So, what are the most common mistakes employees make?
Leaving your laptop or phone unattended in the office, a café or a meeting room, and even worse, unlocked, poses a serious security risk. An unprotected device can be a gateway through which sensitive company or customer data is leaked.
Attackers use psychological tricks, known as social engineering, to gain your trust and acquire access credentials. Even a little carelessness can have serious consequences. One of the most common tactics is a Business Email Compromise (BEC) attack. In this scenario, the attacker pretends to be a high-level manager with decision-making power who sends a convincing email to the finance department requesting urgent payment of a fake invoice – sometimes even from an existing supplier. The email often includes fabricated details and bank account numbers.
This type of fraud exploits people’s trust and tendency to obey authority, allowing the attacker to easily bypass standard internal payment processes. Attackers may spoof an email address to closely resemble a legitimate one (often based on gaining access to the actual mailbox) and create a sense of urgency to pressure staff into making irregular payment transactions without proper checks. In such cases, it’s best to verify the request with your manager over the phone.
Using weak passwords like “123456” or names of pets and family members is still widespread and extremely risky. Attackers can easily guess such passwords using simple algorithms or public information from social media. Reusing the same password across multiple accounts – work or personal – creates a domino effect: If one password is breached, other accounts are also compromised. This is especially dangerous when passwords are shared between work and personal accounts without multi-factor authentication.
A password is personal and protects your access. Sharing it with colleagues – even briefly, for instance if their account gets locked after failed login attempts – is a risk. Shared passwords can be forgotten, misused or even exploited. A password is like a personal key – the more people have access to it, the less secure it becomes.
Leaving sensitive documents on a printer is like leaving your wallet unattended. Such materials can fall into the hands of unauthorised individuals.
Public Wi-Fi, such as in cafés, may be convenient, but it’s inherently risky. When you connect to an unsecured network, attackers can monitor your online activity and even intercept unencrypted data such as login credentials or card numbers. If you’re handling work matters over such a connection, they may also gain access to company data. Without a VPN that encrypts your connection, using public Wi-Fi is like sending important documents on a postcard – anyone could read them.
Outdated software may contain vulnerabilities easy for attackers to exploit. That’s why regular updates are essential, both on company and personal devices, to patch these security gaps.
Any suspicious emails, text messages, or unauthorised individuals on the premises should be reported immediately – ideally to IT or security teams, or at least to your supervisor. Unreported incidents can lead to greater damage or even illegal activity.
While mandatory work training sessions may not always be thrilling, it’s vital to pay attention. You might learn something new and understand what specific rules apply within your company. Cybersecurity tips can also be useful in your personal life.
Just like you wouldn’t let strangers walk freely through your home, don’t allow unauthorised people to roam your offices or warehouses unless they have verified permission.
Likewise, leaving office doors (or windows) unlocked is not a good idea, as someone can easily enter, even in broad daylight. Someone posing as a delivery person, for example, could sneak in – not with a parcel, but rather with the intention to steal your work or personal devices, access cards, or even plug in a device to gain remote access or extract data from logged-in devices.
These days, much of our work can be done on smartphones without physically being in the office, so even you may be answering emails in a café, library or on a tram. If that is your case, be mindful of who might be peeking over your shoulder and reading your communication. This is known as shoulder surfing – where someone secretly watches you type in login details or other sensitive information.
Prevention is key. “Employees need to understand that their digital habits affect not only their own work but the security of the entire company. Practising good IT hygiene isn’t just a formality. It’s a crucial step in protecting against growing cyber threats,” concludes Petr Kocmich.
By avoiding these common mistakes, you can protect not only company data but also your own reputation and career. Be IT responsible – it pays off.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.
