The Biggest Cybersecurity Mistakes People Still Make

Reusing Weak Passwords Across Multiple Accounts

Password reuse remains one of the most documented and consequential security failures in the digital age. A 2025 study by the Cybernews research team analyzed more than 19 billion passwords exposed in data leaks and breaches occurring between April 2024 and mid-2025. Their findings were stark: only six percent of those passwords were classified as unique, meaning 94 percent were either reused or duplicated across accounts. The study also found that simple patterns — sequences like “123456,” common first names, and basic keyboard walks — still dominated the datasets in 2025, decades after security professionals began advising against them.

The practical danger of this habit lies in a category of automated attack known as credential stuffing. When one platform suffers a breach and usernames and passwords are leaked, attackers use automated tools to test those same credentials against banking portals, email providers, cloud services, and corporate logins. According to Verizon’s 2025 Data Breach Investigations Report, stolen credentials were the initial access vector in 22 percent of all confirmed breaches — more than any other single category. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has specifically flagged the absence of strong password policies as one of the most routinely exploited weaknesses in both consumer and enterprise environments.

The recommended countermeasures are well-established: use a password manager to generate and store long, unique credentials for every account, and avoid relying on memorable patterns tied to birthdays, names, or common phrases. Password managers reduce the cognitive burden that leads people to reuse credentials in the first place, and the most widely used ones store data in encrypted vaults that are not readable even by the service provider.

Skipping Multi-Factor Authentication on Critical Accounts

Multi-factor authentication (MFA) — which requires a second form of verification beyond a password — is one of the most effective single controls available to both individuals and organizations, yet adoption remains uneven. According to DemandSage, approximately 70 percent of enterprise users had adopted some form of MFA by 2025. For small businesses, however, that figure dropped to roughly 30 to 35 percent. Among consumers, adoption varies widely depending on the service and the user’s familiarity with the technology.

Research cited in the FIDO Alliance’s 2024 authentication report found that enabling two-factor authentication can block up to 96 percent of bulk phishing attacks and 76 percent of targeted attacks. Despite this, many people disable or skip MFA because of the friction involved in the additional verification step — a trade-off that CISA has repeatedly described as a poor calculation. In a notable 2025 incident, the airline Qantas fell victim to a social engineering attack in which members of the hacker group Scattered Spider called the company’s helpdesk while impersonating employees, ultimately bypassing even active MFA protections by exploiting human trust rather than technical flaws.

It is also worth noting that not all MFA methods carry equal security weight. SMS-based codes are susceptible to SIM-swapping attacks, in which an attacker convinces a mobile carrier to transfer a victim’s phone number to a new SIM card. Authenticator apps and hardware security keys — which generate time-sensitive codes locally or require physical possession — provide considerably stronger protection. Security researchers have increasingly recommended that users avoid SMS-based MFA when more secure alternatives are available.

Falling for Phishing Attacks and Social Engineering Tactics

Phishing — the practice of deceiving someone into revealing credentials or clicking a malicious link through a fraudulent communication — consistently ranks among the most prevalent attack methods targeting individuals and organizations alike. Comcast Business’s cybersecurity threat data indicates that phishing initiates between 80 and 95 percent of all human-associated breaches. IBM’s 2024 Cost of a Data Breach report found that phishing accounted for nearly 30 percent of all global breaches, at an average incident cost of $4.88 million per organization.

What makes phishing particularly resilient as an attack vector is that it has become dramatically more sophisticated. Modern phishing campaigns routinely impersonate trusted institutions — banks, government agencies, internal IT departments, and technology platforms — with visual accuracy that can make even attentive recipients uncertain. According to a 2024 report from Tech.co, a mere 1.6 percent of senior leaders can correctly identify a phishing scam when tested. The same report found that phishing-related data breaches surged across 2024, with 40 percent of business data breaches attributable to phishing, up from 23 percent in 2023.

A newer variant that has drawn significant attention is adversary-in-the-middle (AiTM) phishing, in which attackers capture not just passwords but also active session tokens, allowing them to bypass MFA entirely. Security researchers have documented an increase in phishing kits designed specifically to intercept and relay one-time authentication codes in real time. The most effective individual defense against phishing remains skepticism toward unsolicited communications that request credentials, create urgency, or direct users to log in through an unfamiliar link — regardless of how legitimate the sender appears.

Delaying Security Patches and Software Updates

The failure to apply software updates promptly is one of the most technically consequential cybersecurity mistakes in both home and enterprise contexts. When vendors release patches, they are typically addressing documented vulnerabilities — flaws that, once announced publicly, become active targets for attackers who reverse-engineer the fix to understand the underlying weakness. According to research cited by Automox, approximately 60 percent of organizations that experienced a data breach in 2024 identified a known, unpatched vulnerability as the root cause of that breach.

The window between a patch’s release and active exploitation has narrowed considerably. Research reported by Automox placed the mean time to exploit for critical vulnerabilities at approximately five days in 2024 — meaning organizations that delay routine updates by even a week or two may be operating with publicly known holes. Sophos’ 2024 State of Ransomware report found that 32 percent of ransomware attacks that year began through an unpatched vulnerability. Meanwhile, TuxCare’s 2025 open-source industry survey found that 60.4 percent of cybersecurity incidents in enterprise open-source environments involved a vulnerability for which a patch had already been made available but not applied.

For individual users, the most practical action is to enable automatic updates on operating systems, browsers, and applications wherever possible. Browsers in particular are a high-priority surface, as they are the primary tool through which users encounter malicious code. Avoiding software that has reached its end-of-life (EOL) status — and therefore no longer receives security updates from the vendor — is equally important. Running an EOL operating system, even on a device used only occasionally, creates a permanently open entry point that no amount of vigilance can fully compensate for.

Using Unsecured Public Wi-Fi Without Protection

Public Wi-Fi networks — in cafés, hotels, airports, and libraries — present a well-documented but frequently underestimated risk. Because these networks often lack encryption between the user’s device and the router, a technically capable attacker on the same network may intercept traffic or conduct man-in-the-middle attacks. According to Tech.co’s 2024 Impact of Technology on the Workplace survey, 15 percent of reported data breaches originated from unsecured Wi-Fi networks or intercepted data — risks directly mitigated by the use of a virtual private network (VPN). The same survey found that 59 percent of businesses are not using a VPN at all.

The risk is amplified by the fact that many users connect to public networks without considering whether the network itself is legitimate. A tactic known as an “evil twin” attack involves an attacker broadcasting a Wi-Fi network with a name that closely mimics a legitimate one — such as “Airport_WiFi_Free” versus an official airport network — to lure users into connecting through their equipment. Once connected, users may transmit login credentials, session tokens, and sensitive communications to an attacker who is intercepting the traffic in real time.

CISA’s published guidance on public wireless networks recommends that users avoid accessing sensitive accounts or conducting financial transactions on public Wi-Fi without a VPN, verify network names with staff before connecting, and ensure that websites visited are using HTTPS. For frequent travelers or remote workers, a reputable commercial VPN provides a layer of encryption that makes traffic interception on a public network significantly more difficult, though not impossible against sufficiently resourced adversaries.

Neglecting Regular Data Backups and Recovery Planning

Ransomware — malware that encrypts a victim’s files and demands payment for the decryption key — has become one of the most operationally damaging categories of cybercrime. According to the FBI’s Internet Crime Complaint Center (IC3) 2024 report, ransomware complaints increased 9 percent year over year, with the agency designating it the most pervasive threat to critical infrastructure. Recovery from a ransomware attack cost organizations an average of $2.73 million in 2024, according to JumpCloud’s annual cybersecurity data. Sophos reported that 70 percent of successful ransomware attacks resulted in encrypted data.

One of the most effective defenses against ransomware is one of the least glamorous: maintaining current, tested backups of important data, stored in a location that is not connected to the primary network. The 3-2-1 backup strategy — three copies of data, on two different media types, with one stored offsite or in cloud infrastructure — is a guideline endorsed by CISA and commonly referenced in enterprise recovery planning. Without a reliable backup, the choice following a ransomware attack becomes either paying a ransom with no guarantee of data recovery or accepting permanent data loss.

Individual users often neglect backup routines because the consequences feel abstract until an incident occurs. Cloud synchronization services such as those provided by major technology companies offer a convenient baseline, but they are not a complete substitute for a dedicated backup strategy. Some ransomware variants are specifically designed to target cloud sync folders, overwriting clean files with encrypted versions before the attack is detected. A backup that is physically disconnected from the network — or stored through a versioned cloud service that retains historical copies — provides protection that a live sync folder cannot.

Oversharing Personal Information Online and on Social Media

The information people voluntarily share on social media platforms and other public digital spaces is routinely harvested and weaponized in targeted attacks. Details such as a person’s employer, job title, family members’ names, recent travel, alma mater, and favorite sports teams — all common fixtures on social media profiles — are precisely the categories of information that attackers use to craft convincing spear-phishing messages or to answer security questions on account recovery pages. The Experian 2023 Identity and Fraud Report identified synthetic identity fraud — constructed from real details gathered across multiple sources — as responsible for over 80 percent of new account fraud, with social media serving as a key data source for assembling those identities.

The problem extends beyond individual actors. Social engineering tactics used in corporate environments frequently rely on the organizational detail that employees make visible on professional networking platforms. Knowing a company’s internal structure, team names, ongoing projects, or recent hires — information often gleaned from publicly available profiles — can allow an attacker to craft a convincing impersonation of an internal colleague or executive. Javelin Strategy & Research’s 2025 Identity Fraud Study reported that consumers lost $27.2 billion to identity fraud in 2024, a 19 percent increase from the prior year. Security practitioners commonly advise users to audit what personal information is publicly accessible on their profiles and to avoid making details public that could be used to guess passwords or answer account recovery questions.

Leaving Devices Unlocked and Unprotected in Shared Spaces

Physical security is an aspect of cybersecurity that digital-focused guidance sometimes underemphasizes, but it remains a meaningful vector of compromise. An unlocked laptop or mobile phone left unattended for even a brief period in a shared space — an office, a library, a conference room, a café — can be accessed in seconds. Data can be copied, credentials can be captured through a keylogger installed on the spot, or the device can simply be stolen. The FBI’s IC3 report has consistently included device theft as a precursor to identity theft and financial fraud in its annual data.

Beyond leaving devices physically unattended, many users do not encrypt the storage on their devices, meaning that a stolen device can yield all of its data without needing to bypass the operating system login. Full disk encryption — which is enabled by default on most modern smartphones and available on major desktop operating systems — protects data at rest by making it unreadable without the correct authentication credential. CISA has recommended enabling device encryption, setting strong lock screen PINs or passwords (rather than simple swipe patterns), and enabling remote wipe capabilities on smartphones and laptops, which allow the owner to erase the device’s data remotely if it is reported stolen.