- By simplygeeky, June 10, 2026
Security Guide
The Biggest Cybersecurity Mistakes People Still Make
Human error drives the majority of breaches — and the most dangerous habits are also the most common.
June 10, 2026 9 min read Simply Geeky Editorial
The biggest cybersecurity mistakes people make are rarely the result of sophisticated gaps in technical knowledge — they are, more often than not, entirely preventable habits that persist despite years of public awareness campaigns. According to research from Stanford University, roughly 88 percent of all cyberattacks are directly or indirectly linked to human error, a figure that has remained stubbornly consistent even as the tools available to defenders have grown more powerful. The global cost of a data breach reached an average of $4.88 million in 2024, according to IBM, underscoring that what looks like a minor lapse — a reused password, a delayed software update, a hurried click on a suspicious link — can carry consequences that are anything but minor. Understanding where people go wrong is the first and most practical step toward correcting it.
Password Hygiene
Reusing Weak Passwords Across Multiple Accounts
Password reuse remains one of the most documented and consequential security failures in the digital age. A 2025 study by the Cybernews research team analyzed more than 19 billion passwords exposed in data leaks and breaches occurring between April 2024 and mid-2025. Their findings were stark: only six percent of those passwords were classified as unique, meaning 94 percent were either reused or duplicated across accounts. The study also found that simple patterns — sequences like “123456,” common first names, and basic keyboard walks — still dominated the datasets in 2025, decades after security professionals began advising against them.
The practical danger of this habit lies in a category of automated attack known as credential stuffing. When one platform suffers a breach and usernames and passwords are leaked, attackers use automated tools to test those same credentials against banking portals, email providers, cloud services, and corporate logins. According to Verizon’s 2025 Data Breach Investigations Report, stolen credentials were the initial access vector in 22 percent of all confirmed breaches — more than any other single category. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has specifically flagged the absence of strong password policies as one of the most routinely exploited weaknesses in both consumer and enterprise environments.
94% of the 19 billion passwords analyzed in a 2025 Cybernews study were found to be reused or duplicated — leaving the vast majority of accounts exposed to credential stuffing attacks. (Cybernews, 2025)
The recommended countermeasures are well-established: use a password manager to generate and store long, unique credentials for every account, and avoid relying on memorable patterns tied to birthdays, names, or common phrases. Password managers reduce the cognitive burden that leads people to reuse credentials in the first place, and the most widely used ones store data in encrypted vaults that are not readable even by the service provider.
Authentication
Skipping Multi-Factor Authentication on Critical Accounts
Multi-factor authentication (MFA) — which requires a second form of verification beyond a password — is one of the most effective single controls available to both individuals and organizations, yet adoption remains uneven. According to DemandSage, approximately 70 percent of enterprise users had adopted some form of MFA by 2025. For small businesses, however, that figure dropped to roughly 30 to 35 percent. Among consumers, adoption varies widely depending on the service and the user’s familiarity with the technology.
Research cited in the FIDO Alliance’s 2024 authentication report found that enabling two-factor authentication can block up to 96 percent of bulk phishing attacks and 76 percent of targeted attacks. Despite this, many people disable or skip MFA because of the friction involved in the additional verification step — a trade-off that CISA has repeatedly described as a poor calculation. In a notable 2025 incident, the airline Qantas fell victim to a social engineering attack in which members of the hacker group Scattered Spider called the company’s helpdesk while impersonating employees, ultimately bypassing even active MFA protections by exploiting human trust rather than technical flaws.
It is also worth noting that not all MFA methods carry equal security weight. SMS-based codes are susceptible to SIM-swapping attacks, in which an attacker convinces a mobile carrier to transfer a victim’s phone number to a new SIM card. Authenticator apps and hardware security keys — which generate time-sensitive codes locally or require physical possession — provide considerably stronger protection. Security researchers have increasingly recommended that users avoid SMS-based MFA when more secure alternatives are available.
Top initial access vectors in confirmed breaches — Verizon DBIR 2025 & IBM Cost of a Data Breach 2024/2025
Phishing Awareness
Falling for Phishing Attacks and Social Engineering Tactics
Phishing — the practice of deceiving someone into revealing credentials or clicking a malicious link through a fraudulent communication — consistently ranks among the most prevalent attack methods targeting individuals and organizations alike. Comcast Business’s cybersecurity threat data indicates that phishing initiates between 80 and 95 percent of all human-associated breaches. IBM’s 2024 Cost of a Data Breach report found that phishing accounted for nearly 30 percent of all global breaches, at an average incident cost of $4.88 million per organization.
What makes phishing particularly resilient as an attack vector is that it has become dramatically more sophisticated. Modern phishing campaigns routinely impersonate trusted institutions — banks, government agencies, internal IT departments, and technology platforms — with visual accuracy that can make even attentive recipients uncertain. According to a 2024 report from Tech.co, a mere 1.6 percent of senior leaders can correctly identify a phishing scam when tested. The same report found that phishing-related data breaches surged across 2024, with 40 percent of business data breaches attributable to phishing, up from 23 percent in 2023.
Continue/Read Original Article: The Biggest Cybersecurity Mistakes People Still Make | Simply Geeky
