Employee behaviours inside organisations are most likely to trigger a data breach, with small habits scaling into a larger systemic risk. The human factor in cybercrime is often underestimated, but could be costing organisations millions of pounds worth of damage in data leaks, meaning companies cannot afford to overlook the digital habits of their workforce.
Cybersecurity experts FLR Spectron have identified the key ways in which employees may be putting their organisation at risk of cybercrime.
5 everyday employee habits that lead to data breaches
Below are five ways that employees may be undermining the cybersecurity of their organisation:
-
Password reuse across work and personal accounts
According to a 2025 NordPass survey, nearly two-thirds of users admit to using a single password across multiple accounts. An employee using the same password for work and personal accounts is a dangerous habit for company systems. A hacker may gain access to a personal account, such as online banking, and try the same password again to sign into a work email account. The result is recycled passwords compromising cybersecurity with a chance of data leaks occurring on a huge scale.
-
Using public Wi-fi for work tasks
Connecting to public Wi-fi can compromise data, login details and financial information by allowing cybercriminals to create ‘Man-in-the-middle-attacks’. This is where criminals place themselves between your device and the Wi-fi hotspot, allowing them to read and intercept all data. They can also hijack sessions on the work system, by stealing ‘cookies’ to impersonate employees without needing passwords.
This point brings up the issue of remote working vulnerability. Logging into ‘secure’ public Wi-fi in a co-working space or even when working on the go on public transport may be putting work accounts at risk.
-
Clicking QR codes or unverified links
Employees are at risk of unknowingly leaking data via clicking on links in phishing emails and the rise of QR phishing (often referred to as ‘quishing’). This is where fraudulent QR codes are used to trick users into visiting malicious websites or downloading harmful content. Many of these QR codes steal sensitive data and login credentials, making it a highly intelligent cybersecurity scam.
-
Storing passwords in browsers or Notes app on phone
If a work mobile device is hacked or physically stolen, the criminal will then have access to any passwords stored in Notes apps, or kept in the auto-fill feature.
-
Forwarding work emails to personal accounts
It is generally bad practice to forward work emails to a personal account, as a personal email account will lack the advanced security of a corporate email system. Forwarding work emails may open the organisation up to compromises in cybersecurity, and even legal penalties if it contains sensitive customer information.
How to strengthen cybersecurity in the workforce
-
Create unique passwords
The more a password is reused, the more opportunities for cybercriminals to access data. For businesses, a password leak can cause a whole host of breaches and account theft. Employees should protect their work accounts by creating unique, secure passwords that incorporate a long phrase of up to 16+ characters, a mix of upper and lower case letters, numbers, and where applicable, symbols to heighten complexity.
-
Use a mobile hotspot instead of public Wi-fi
To limit the risk of hackers accessing work data via public Wi-fi, encourage remote or hybrid employees to utilise mobile hotspots. Whilst not entirely risk-free, these hotspots require password protection and can reduce the chance of an attack by protecting you from data interception. Likewise, using a VPN (Virtual Private Network) can provide protection on public Wi-fi, ensuring online privacy and encryption of data on untrusted networks.
-
Provide phishing emails and scams training
Improve employee awareness and knowledge of phishing emails and potential malware scams to reduce the risk of clicking on external hacking attempts. The National Cyber Security Centre advises that organisations create an environment that encourages users to report phishing attempts, whilst minimising disruption to productivity. Phishing training can also be utilised, with fake phishing emails sent to users so they can be aware of what to look for.
-
Encourage employees to avoid using auto-fill
Along with creating unique passwords as part of their login credentials, encouraging employees to avoid using auto-fill features on work systems and not storing passwords will lower the potential risk of a cyber security issue.
-
Prohibit the use of personal emails for business tasks
With a combination of training and making it easier for employees to use their business email accounts if working remotely, you can limit the need for personal email accounts being used for business related tasks.
Protect your organisation against cybercrime from within
With hackers quickly identifying new ways to exploit organisations of all sizes, it is imperative to enhance internal cybersecurity starting with the workforce.
Kamran Bahdur, Chief Information Officer at FLR Spectron says, ‘Most cyber breaches don’t start with elite hackers, they start with everyday habits. Reused passwords, unsafe remote working, and momentary lapses in judgement are still some of the biggest risks facing UK organisations. Cybersecurity today is as much about shaping secure behaviours as it is deploying the right technology.
The biggest cyber risk to UK businesses isn’t sophisticated attackers, but the small, everyday behaviours that bypass security controls. Organisations that fail to address human risk alongside technology are leaving the door open to preventable breaches.’