Five Cybersecurity Mistakes That Put Your Practice at Risk

It is a Tuesday morning and one of your staff opens an email that looks like it is from a supplier. They click a link, enter their login details, and get on with their day. By Thursday, someone in another country is inside your systems, reading client files, and you have no idea. This is not a worst-case scenario. It is how the majority of breaches actually happen - not through sophisticated hacking, but through ordinary mistakes that were never addressed.

The uncomfortable truth for most healthcare practices and professional services businesses is that the mistakes leaving them exposed are not complicated. They are gaps in basic security habits - things that look fine on the surface but are not. A 2021 Sophos Threat Report that examined thousands of global data breaches found that the most damaging attacks consistently traced back to gaps in basic security hygiene, not exotic or novel techniques. The cost of getting it wrong is not just financial. Under the NZ Privacy Act 2020, a serious privacy breach involving client health information must be reported to the Office of the Privacy Commissioner at privacy.org.nz. That is a conversation no practice manager wants to have.

The first gap is skipping multi-factor authentication - the extra step that confirms a login is genuine, not just a stolen password. It sounds minor. It is not. According to Microsoft, multi-factor authentication blocks more than 99% of fraudulent sign-in attempts. If your team can log into email or patient records with just a password, you are one compromised password away from a breach. Most breaches are entirely preventable with the right controls in place from the start.

The second is ignoring what is sometimes called shadow IT - staff using personal apps like Google Drive or WhatsApp to share work files because it is easier than the approved system. The problem is that client data in an unvetted app sits outside your backup, outside your security controls, and potentially outside your compliance obligations. If that staff member leaves, that data may go with them. Cloud storage convenience comes with real security trade-offs that many practices have not fully considered.

Third, many practices still rely on a basic antivirus application and call it done. Modern threats do not work that way. Phishing attacks typically use links, not files, so there is nothing for antivirus to catch. Effective protection now involves filtering at the email level, filtering at the web browsing level, and monitoring of cloud account activity - layers working together, not a single tool working alone.

Fourth, most practices now have staff working from home at least part of the time, often on personal devices. If those devices are not enrolled in a device management system - something like Microsoft Intune, which is included in many Microsoft 365 plans - then you have no visibility into what is happening on them and no way to wipe a device if it is lost or stolen.

Fifth, and most consistently damaging, is the lack of regular staff training. Research suggests that around 95% of cybersecurity breaches involve human error at some point. Annual onboarding training is not enough. Short, regular reminders - whether that is a quick team briefing, a tip in the staff newsletter, or a simulated phishing test - keep the habits sharp. Security awareness training is the cyber defence NZ businesses overlook most often, and culture matters more than policy here.

If you are not sure which of these gaps applies to your practice, the answer is probably more than one. A proper security review will identify exactly where you are exposed and what needs to change. ITstuffed provides managed IT support for healthcare practices in Canterbury that want a clear picture of their risks without having to wade through technical jargon to get it. If you want to know where your practice stands, book a 15-minute IT Fit Check at itstuffed.co.nz/booking and we can start from there.