🔒 Top 10 Cybersecurity Mistakes Employees Make (And How to Fix Them)

Human Error: Singapore’s Hidden Cyber Threat

Let’s face it, your biggest cybersecurity risk might be sitting in the break room, sipping kopi and accidentally clicking on a "Congratulations! You’ve Won!" email.

In our many engagements, we've seen countless people click on our phishing emails offering NTUC FairPrice vouchers (as part of our training of course 😉).

We've even caught a CEO filling in a fake form for the vouchers.

This is why we emphasise that it’s less often the hoodie-obsessed hackers in faraway lands you need to worry about.

It’s that one (or many) employee(s) who still thinks "p@assword123" is a clever password. Well...at least they added the '@'. Which adds a grand total of 2 seconds from 0 seconds to crack compared to just 'password123' if you're curious.

For corporate leaders, HR professionals, and IT managers, here’s the inconvenient truth: cybersecurity isn’t just an IT issue (as much as everyone in the company wishes it to be, sorry IT team. We feel you.) it’s everyone’s business. And until your employees stop treating cybersecurity like it’s someone else’s problem, your organisation remains vulnerable.

What are some things you can do right now? Starting off with this list is a small (but still helpful) step in the right direction.

Go through this list and check if these common cybersecurity mistakes are being made in your organisation. Unfortunately, chances are they are. Which is why it's so important to take time to make these small adjustments to keep your organisation safe as soon as possible.

1. Reusing Passwords Across Multiple Accounts

Why It Matters: Reusing passwords across multiple platforms is one of the easiest ways for attackers to breach corporate systems. Once attackers obtain a password from a breached site, they use automated tools to test it against corporate email, cloud services, and business tools. Without password variation, a single exposed credential can unlock your entire digital ecosystem.

Scenario: John, a senior marketing manager and self-declared "password minimalist," uses the same password "johnp@ssword123" for everything from Canva to Gmail. He thinks it's genius (it's not, John). When Canva was breached on 11th January 2020, hackers celebrated password minimalists worldwide.

Fix It With:

• IT: Implement enterprise password managers like 1Password or LastPass Business.
• HR: Incorporate password hygiene practices into onboarding and annual training.
• Leadership: Enforce policies requiring unique, complex passwords.

🔐 Pro Tip: Configure your enterprise password manager to automatically flag reused passwords and enforce complexity standards across teams via admin policies.

2. Falling for Phishing and Social Engineering Scams

Why It Matters: Phishing emails are the most common entry point for cyberattacks. These emails often impersonate trusted figures like HR or the CEO and are crafted to bypass spam filters and exploit human trust. A single click can compromise entire networks, steal credentials, or install malware. CEO fraud alone is worth an estimated $26 billion industry.

Scenario: Sarah, a senior finance executive who prides herself on lightning-fast replies, received an email with the subject title "⚠️ Urgent Task, Need Assistance From Finance. Respond ASAP." from the email address 'erictan@hotmail.com' requesting bank details. Eric Tan, the real CEO, was on a holiday. Knowing this, the email also stated 'as I am on vacation, I am unable to login to my company email. But this is urgent hence I am using my personal email.'. Wanting to impress the boss, she complied within five minutes. Unfortunately, the real CEO doesn’t use Hotmail, and now the company payroll has also taken a holiday.

Fix It With:

• IT: Deploy AI-based email security tools.
• HR: Conduct quarterly phishing simulations.
• All Staff: Promote the SLAM method: Sender, Links, Attachments, Message tone.

🔐 Pro Tip: Integrate an email banner system that flags external senders and suspicious domains in real-time, reducing knee-jerk responses to spoofed emails.

3. Ignoring Software Updates and Patches

Why It Matters: Every software system eventually develops vulnerabilities. Cybercriminals watch for announcements of patches and immediately begin scanning for unpatched systems. Delaying updates gives attackers a window of opportunity to exploit known flaws.

Scenario: Michael, the IT administrator, decided that "Patch Tuesday" sounded optional. Michael was, in fact, working from home that day (he was watching TikTok). He skipped the monthly updates, hoping nothing would break. What did break was the company’s database, after attackers exploited an unpatched vulnerability. This move is reminiscent of Equifax’s billion-dollar mistake. Michael can now watch all the TikToks he wants and WFH is no longer optional. Thanks, Michael.

Fix It With:

• IT: Use tools like Microsoft Intune to manage updates.
• HR: Remind staff to restart devices weekly.
• Leadership: Fund automated patch management solutions.

🔐 Pro Tip: Set up a WSUS (Windows Server Update Services) or third-party patch management tool to enforce update policies and generate compliance reports for audits.

4. Using Weak or Default Credentials

Why It Matters: Default usernames and passwords are publicly available and often remain unchanged in many systems. Cyber attackers use automated scripts to scan for devices like routers, cameras, and storage units with default access, making this an easily avoidable vulnerability.

Scenario: A well-meaning startup founder proudly set up a shiny new Network Attached Storage (NAS) device but forgot to change the password from "admin" to anything else. Hackers didn’t even have to try, they logged in, zipped up the data, and left a ransom note that read "Congratulations! We heard you just raised quite a large Series A round. Let's chat."

Fix It With:

• IT: Disable default logins during setup.
• All Employees: Use 12+ character passphrases.
• Security Team: Conduct credential audits with LAPS or Okta.

🔐 Pro Tip: Run regular credential scans using tools like Shodan or Nessus to detect exposed services still using default logins and auto-disable access.

5. Mishandling Sensitive Data

Why It Matters: Sensitive information, such as customer records, financial data, and internal communications, is often mishandled by employees who underestimate its value or fail to use secure storage. Under PDPA, mishandling can lead to severe fines and reputational damage.

Scenario: Emily, a customer service rep, decided her handbag was a secure cloud and saved customer data to a USB drive to finish work at home. The USB went AWOL on the MRT (Disclaimer: not SMRT's fault). A similar scenario played out in the US when a healthcare worker lost a laptop with 43,000 patient records.

Fix It With:

• IT: Deploy Data Loss Prevention (DLP) tools.
• HR: Train staff to classify data appropriately.
• Legal/Compliance: Audit workflows involving customer data.

🔐 Pro Tip: Apply classification labels and auto-encryption to sensitive files using Microsoft Purview or similar DLP solutions to restrict transfer and download actions.

6. Connecting to Unsecured Public Wi-Fi

Why It Matters: Public Wi-Fi networks lack encryption, allowing attackers to intercept traffic or create spoofed access points. Employees working from cafés, airports, or hotels can inadvertently expose credentials and company data.

Scenario: David, a regional sales manager, logged into the company CRM from "ChangiFreeAirportWiFi", thinking that the best airport in the world surely has good and secure WiFi. Unfortunately, that network was not setup by the good folks at Changi. A hacker sipping kopi nearby captured every keystroke. While David was in the air, the hacker logged in and swept everything clean. This happens in many common spaces - Australian airports have seen similar stunts with gadgets costing as low as $20.

Fix It With:

• IT: Enforce VPN use on work devices.
• Employees: Avoid sensitive activity on public networks.
• Training: Simulate Wi-Fi attacks in workshops.

🔐 Pro Tip: Enforce VPN auto-connect on all corporate laptops in your Mobile Device Management (MDM) solution so Wi-Fi use without encryption is impossible.

7. Using Personal Devices Without Security Controls

Why It Matters: Personal devices often lack corporate-grade security. Without antivirus, encryption, and monitoring, these devices can be exploited by malware or used as backdoors into secure systems.

Scenario: Linda, who preferred her personal laptop because "it's pink and faster," opened a phishing link that installed ransomware. Her device became the digital Trojan horse that brought down the team's shared drive. Microsoft says most ransomware begins exactly this way.

Fix It With:

• IT: Deploy MDM tools like Microsoft Endpoint Manager.
• HR: Ensure BYOD agreements are signed.
• Leadership: Restrict sensitive systems to secured devices.

🔐 Pro Tip: Mandate MDM registration for all BYOD devices, enabling remote wipe, antivirus enforcement, and app usage controls before granting system access.

8. Sharing Login Credentials

Why It Matters: Sharing accounts eliminates traceability and control. In the event of a breach, it's impossible to determine who was responsible. Shared logins also increase the risk of accidental or intentional misuse.

Scenario: A developer team shared one super-admin account called "bestdevteam". It was efficient, until a disgruntled developer deleted half the project files. With no audit trail, the real culprit vanished like their GitHub history. The best dev teams would never let this happen. Okta's breach involved a similar shared-access nightmare.

Fix It With:

• IT: Enforce role-based access with unique IDs.
• Managers: Mandate "One Person, One Account."
• Training: Explain shared credentials' risks.

🔐 Pro Tip: Use SSO with enforced role-based access (RBAC) and conditional access rules to prevent multiple users from accessing systems with a single identity.

9. Neglecting Physical Security Measures

Why It Matters: Physical access to devices or sensitive materials can be just as dangerous as digital breaches. Unlocked screens, unsecured USB drives, misplaced laptops and even passwords written on whiteboard or notepads can all be exploited by malicious actors.

Scenario: Tom, an analyst with a habit of leaving things "just for a minute," left his laptop unlocked in a co-working space. While grabbing his 6th kopi for the day at 4:30pm, a sharp-eyed malicious actor who has been monitoring his routine for the last few weeks helped themselves to a few client files.

Fix It With:

• Facilities: Enforce clean desk policies.
• IT: Enable automatic screen locks.
• HR: Include physical security in training.

🔐 Pro Tip: Activate full-disk encryption and set idle-screen lock policies through Group Policy or MDM for all endpoint devices.

10. Viewing Cybersecurity as Solely an IT Responsibility

Why It Matters: Treating cybersecurity as an IT-only issue creates gaps in awareness and accountability. A strong security posture requires engagement from leadership to entry-level employees.

Scenario: The executive team at a mid-sized firm thought cybersecurity was "too technical" to worry about and they weren't a target like MNCs. They skipped basic awareness training despite the IT team saying 'eh, please la' many times. Days later, a phishing email pretending to be from the CFO tricked them into wiring money overseas. They desperately requested the hackers to return the money, they even said 'eh, please la'. If only they'd spent half a day learning the basics of cybersecurity.

Fix It With:

• Leadership: Make cybersecurity part of company values.
• HR: Reward cyber champions.
• All Teams: Include cyber KPIs in reviews.

🔐 Pro Tip: Make cyber hygiene part of quarterly KPIs by integrating phishing test scores, training completion, and incident reporting into staff performance reviews.

Why Cybersecurity Awareness Training Matters Now More Than Ever

While technical controls are vital, they are only one part of the puzzle. The most advanced firewall won't protect your business if an employee unknowingly hands over credentials to a phishing scam. With human error remaining the leading cause of breaches, proactive education is your first line of defence.

CFCI's research and training initiatives show that organisations that invest in regular, scenario-based cybersecurity training see a dramatic reduction in incidents related to phishing, poor password practices, and data mishandling.

🛡️ How CFCI Can Help Your Organisation Stay Secure

The Centre for Cybersecurity Institute (CFCI) offers:

• Cybersecurity awareness training tailored for Singaporean businesses
• Practical workshops, phishing simulations, and tabletop exercises to engage participants
• Leadership engagement sessions to build a culture of shared responsibility

Our programmes are designed to be engaging, non-technical, and immediately applicable.

📅 Ready to Build a Cyber-Resilient Workforce?

Don’t wait until your company becomes a cautionary tale. Train your team today.

• 📅 Book a Free Cybersecurity Consultation
• 📥 Download Our Corporate Training Brochure

Cybersecurity is a shared responsibility. Training is your first line of defence.

❓ Mini FAQ: Cybersecurity Training in Singapore

Q1: How often should cybersecurity training be conducted?
At least biannually, with quarterly phishing simulations for best results.

Q2: Is CFCI training relevant for non-technical staff?
Yes. Our training is designed for all employees, from interns to executives.

Q3: Does training help with compliance?
Absolutely. Our modules align with PDPA, CSA, and industry best practices.

Q4: Can CFCI customise the training to our industry?
Yes. We always have pre-training consultation to understand the most relevant risks to your industry & departments.

Q5: What makes CFCI different?
We care deeply about the quality of our training, cyber awareness training should NOT be a 4 hour session of eyeballing slides. We create interactive activities, showcase hacks on the spot and ensure that knowledge is retained over time.