In 2023, the average cost of a data breach reached $4.45 million for organizations — and individual victims of identity theft spent an average of 200 hours recovering from the aftermath. What's alarming isn't the scale of these incidents but the cause: Verizon's annual Data Breach Investigations Report consistently finds that over 74% of breaches involve the human element, meaning mistakes people make rather than failures of technical systems.
The seven mistakes below aren't hypothetical — they're the specific behaviors that cybersecurity researchers and incident responders see repeatedly in breach investigations. Each one is entirely preventable. The question is whether you're making any of them right now.
Mistake 1: Reusing Passwords Across Multiple Accounts
Password reuse is the most widespread and consequential security mistake people make. When any website you use suffers a data breach (and breaches happen constantly — Have I Been Pwned lists over 12 billion compromised accounts), hackers immediately try those stolen username/password combinations on Gmail, banking sites, PayPal, and Amazon. This automated attack, called credential stuffing, succeeds at massive scale precisely because people reuse passwords.
The fix is absolute: use a unique, randomly generated password for every account. This sounds impossible to manage — and it is, if you're trying to remember them. A password manager (Bitwarden is free and open-source; 1Password and Dashlane are excellent paid options) generates and stores unlimited unique passwords. You memorize one strong master password; it handles everything else.
Mistake 2: Ignoring Two-Factor Authentication
Two-factor authentication (2FA) requires a second proof of identity beyond your password — typically a code from an authenticator app or SMS. Microsoft's security team analyzed hundreds of millions of compromised accounts and found that enabling 2FA blocked 99.9% of automated attack attempts. Despite this, surveys find that fewer than 30% of people have enabled 2FA on their most important accounts.
Authenticator apps (Google Authenticator, Authy, or the authenticator built into 1Password) are more secure than SMS codes, which can be intercepted through SIM-swapping attacks. Enable 2FA on your email first — it's the master key to your digital life, since it's used to reset passwords on virtually every other account.
Mistake 3: Clicking Links in Emails Without Verifying
Phishing remains the most common attack vector because it works. Modern phishing emails are sophisticated — they replicate the exact visual design of legitimate companies, use personalized details scraped from social media (spear phishing), and create urgent scenarios that short-circuit careful thinking ('Your account has been compromised — click here immediately to secure it').
Your best defense is a simple rule: never click links in emails to access accounts. Instead, open a new browser tab and navigate directly to the website. Check the actual sender email address (not just the display name) — fraudulent emails from 'Amazon' often come from addresses like amazon-security@randomdomain.com. When in doubt, call the company using a number from their official website.
Mistake 4: Using Public Wi-Fi Without a VPN
Public Wi-Fi at coffee shops, airports, and hotels is inherently insecure. Anyone on the same network can potentially intercept unencrypted traffic. While HTTPS encryption has improved significantly (most websites now use it), public networks can still expose your browsing habits, unencrypted app traffic, and login sessions. 'Evil twin' attacks — where hackers create a fake Wi-Fi hotspot named 'Starbucks WiFi' — are a real threat in high-traffic locations.
A VPN (Virtual Private Network) encrypts all traffic from your device, making it unreadable even if intercepted. Reputable VPN providers include Mullvad, ProtonVPN, and ExpressVPN. Avoid free VPNs — they often monetize your data, defeating the purpose. If you frequently work from public locations, a VPN subscription ($3–$10/month) is worth every penny.
Mistakes 5, 6, and 7: Software, Permissions, and Oversharing
Delaying software updates is mistake #5. Updates frequently patch actively exploited vulnerabilities — the WannaCry ransomware attack in 2017 that paralyzed hospitals and businesses worldwide exploited a Windows vulnerability for which Microsoft had already released a patch two months earlier. Victims simply hadn't updated. Enable automatic updates on your operating system, browser, and critical apps.
Overly permissive app permissions (#6) give apps access to your camera, microphone, contacts, and location far beyond what they need. Review your phone's app permissions regularly and revoke access that isn't necessary. A flashlight app doesn't need your contacts list. A recipe app doesn't need your location.
Oversharing on social media (#7) fuels social engineering attacks. Your dog's name, your hometown, your mother's maiden name, your high school mascot — these details appear in countless security questions. Attackers mine social profiles to answer security questions and craft convincing phishing messages. Be thoughtful about what you share publicly.
Test your knowledge with our Cybersecurity Fundamentals Quiz to see how your security awareness stacks up — and identify exactly which gaps leave you most vulnerable to the attacks happening right now.