Mon – Fri  9AM – 5PM|Client Portal
ITstuffed
0800 487 883
Cybersecurity

Why Your Team's Everyday Habits Are Your Biggest Security Risk

Most cyberattacks do not start with a sophisticated intrusion. They start with someone clicking a link in a personal email on a work laptop, or uploading a client file to a familiar cloud service because the approved option felt slower. According to the Verizon Data Breach Investigations Report, 68% of breaches involve the human element - not a zero-day exploit, not a brute-force attack on a hardened system. Ordinary behaviour, on an ordinary day.

For professional services businesses running cloud-based workflows across multiple devices, the overlap between personal and professional digital life is now the norm. That overlap is where most attacks begin.

Personal web habits are not reckless. They are normal. Checking a personal inbox on a work device. Saving a work password in a browser already loaded with personal accounts. Using a consumer file-sharing app because it is faster than the approved option. None of these feel like security decisions in the moment. But each one creates a connection between personal digital activity and business systems - and that connection sits outside most traditional security controls.

Hardening systems and locking down networks addresses part of the problem. The rest moves with the people.

Personal inboxes, messaging platforms, and social media are where phishing thrives. These environments are harder to filter, easier to spoof, and loaded with the kind of emotional triggers that make people act before they think. When those channels share a device or browser with business systems, a single click can cross the boundary instantly. The person being targeted does not need to be careless. They just need to be busy. AI-driven attacks on personal email accounts have made this kind of crossover significantly harder to recognise in time.

Password reuse creates a direct connection between personal and professional exposure. When credentials from a personal account are compromised in a breach somewhere, attackers run them against business systems automatically. It is low-effort and highly effective because so many people use the same password across multiple accounts. Unique credentials for every account, combined with multi-factor authentication - where logging in requires a second step beyond a password - breaks that chain. A personal breach has nowhere to go when the work account requires a second factor the attacker cannot access. Credential attacks that sweep across an entire team are a common way this exposure gets exploited at scale.

Most unauthorised tool use does not come from disregard for policy. It comes from a productivity gap. People use personal cloud storage or consumer apps because they are faster and more familiar than whatever has been approved. The security risk is not the intention behind the choice. It is what happens to the data. Once business information moves into platforms that cannot be audited or secured, it falls outside every control in place.

The instinct is to lock things down - block personal apps, restrict browsing, enforce strict device policies. In practice, blanket restrictions rarely stop the behaviour. They relocate it. Users find workarounds. Unapproved tools move to personal devices. The risk does not disappear. It moves somewhere harder to see.

What actually works is designing security around how people genuinely operate. Separate browser profiles for work and personal activity create enough distance that a compromise in one does not automatically reach the other. Clear guidance on where business accounts should be accessed reduces accidental crossover without restricting what people do with their time. Multi-factor authentication means that even if a password is exposed somewhere, it cannot be used to walk into a work account. A password manager makes unique credentials for every account sustainable, without placing an unrealistic burden on staff. If your business needs help putting these controls in place, IT support for professional services firms is exactly where to start.

When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Our organisation engaged IT Stuffed a bit over a year ago and we have been very happy with their services to date. We value them being a local small business and appreciate their friendly yet professional interactions. They do not fluster easily and that has a calming effect on people with IT challenges. Happy to recommend this service.

Maggy Tai Rākena

IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.

Ruby Williams

The most secure environments are not the most restrictive. They are the most realistic - built around how people actually work, and designed to contain the damage when something goes wrong. The habits that genuinely reduce risk in 2025 are practical, not complicated, and most can be put in place without disrupting how your team works day to day.

For Canterbury businesses handling sensitive client information, getting this right matters. The cyber security section of the ITstuffed website covers the practical controls that make the biggest difference. If you want to know where the gaps are in your current setup, ITstuffed offers a 15-minute IT Fit Check at itstuffed.co.nz/booking - no preparation needed.

Back to News