Skip to main content

10 Cybersecurity Habits Every Employee Should Follow

Security Is Everyone's Responsibility

Your IT team can deploy the best security tools in the world, but a single employee clicking the wrong link can undo all of it. Security awareness training is not just a compliance checkbox — it genuinely reduces risk. Here are ten habits that, if followed consistently, will significantly reduce your organisation's exposure to cyber threats.

1. Use a Different Password for Every Account

Password reuse is one of the most dangerous habits in the workplace. When one service is breached, attackers immediately try those credentials everywhere else. Use a password manager (Bitwarden, 1Password, or Microsoft's built-in Edge password manager) to generate and store unique passwords.

2. Enable MFA on Every Account That Supports It

Multi-Factor Authentication adds a second verification step that stops attackers from using stolen passwords. Enable it on your email, cloud storage, banking, and any business applications.

3. Lock Your Screen When Stepping Away

Press Windows + L (or Control + Command + Q on Mac) every time you leave your desk. An unlocked computer in a shared office is a significant physical security risk.

4. Think Before You Click

Before clicking any link in an email or message, hover over it and verify the destination URL. If something feels urgent or unexpected, verify through a separate channel before acting.

5. Keep Software Updated

Most successful attacks exploit known vulnerabilities that have already been patched. Enable automatic updates on your operating system and all applications. Do not dismiss update notifications.

6. Use Only Approved Cloud Services

Uploading company files to personal Dropbox accounts or sharing data through unapproved apps creates "shadow IT" that your security team cannot monitor or protect. Use only company-approved services.

7. Be Careful on Public Wi-Fi

Public Wi-Fi at airports, hotels, and coffee shops can be monitored or spoofed. If you need to work remotely, use your company VPN or your phone's mobile hotspot instead.

8. Report Suspicious Activity Immediately

If you receive a strange email, notice your account is behaving oddly, or suspect you have clicked on something you should not have — report it immediately. The faster an incident is reported, the less damage it causes. There is no penalty for reporting a near-miss.

9. Be Wary of USB Drives and Unknown Devices

A USB drive found in a car park or sent as a promotional gift is a classic attack vector. Never plug in a USB drive of unknown origin. If a device needs to be inspected, ask your IT team to do it in a controlled environment.

10. Verify Before You Transfer

Any request to transfer money, share credentials, or change payment details — regardless of who it appears to come from — should be verified by phone call using a number you already have on file. Never use contact details provided in the email itself.

Make Security Awareness Part of Your Culture

Decoding IT offers ongoing security awareness training and phishing simulation programmes that keep your team sharp without disrupting their work. Contact us to learn how we can help build a security-aware culture in your business.


Wondering how exposed your business actually is? We offer a free 30-minute cybersecurity review — we'll assess your current controls, identify the highest-risk gaps, and give you a plain-English action list. No obligation. Book your free review here.