What are the most common data security mistakes employees make?

I would not call this an "employee mistake." Weak or repeated passwords are often results of bad organisation password policies. If you force a person to change passwords often and don't create easy opportunities for storing passwords in accessible password managers, you basically enforce weak or repeated passwords. That is a governance problem and not an employee problem.

Employees also have a tendency of using one common password on several accounts. This gives the hackers an easy time once they manage to acquire one of your accounts or apps password. There is also complacency that comes with assumptions of a great firewall to the system. Most employees fail to change passwords from time to time with a false hope in a good firewall. This exposes them to vulnerabilities hence change of password from time to time should be encouraged.

This is the fundamental key to access to all, both online and offline. If it is first layer access of security, we as users responsibly understand the core importance of it. If we never put a value on it, we are like a kid who is playing to open it all yours to all. I remember some of the clients who were using the most common passwords to their online accounts from bank apps, social media, or emails, and they experienced a breach of their accounts unattentively. As the problems got worse, they called my attention and asked for help for their accounts to be secured. What I found out, they are using repeatedly the recycled patterns of their passwords. From that, the journey of helping clients design a combo-pass-word-phrase-password started.

Most common mistake is forgetting to put security at the heart of their activity. Pressure of work and lack of adequate training are normally to blame.

Seems like our generative AI got a bit creative here! The Principle of Least Privilege is like giving people access to a system but only letting them 'read, write, or delete' what they absolutely need for their job. It's like a security bouncer but for data. The last sentence is more closely aligned to the below cybersecurity principles - 'Need-to-Know' principle - Access to sensitive information is granted only to individuals who have a need for that data in order to perform their job. 'Purpose Limitation' principle - In the context of EU-GDPR, this is a fundamental principle that dictates that personal data should only be used for specific purposes.

An example is the use of some social media platforms in sharing of sensitive organisation data. As much as employees should be discouraged, organisations also need to come up with proper data protection policy to prohibit sharing of information using unsecure platforms.

I assisted local businesses in the Philippines with managing their social media pages and online assets, to protect them from deceptive platforms that send misleading messages with malicious links. The key is to educate their teams and prepare them in advance, rather than allowing them to be lured by messages they receive via email, messaging apps, or private channels of communication. Additionally, incorporating AI tools into their operations can help validate any messages they receive, scanning and verifying them for potential threats. This is just the beginning. We hope that by taking these steps, our partnerships can help us better understand the importance of cybersecurity and privacy, and stay one step ahead of potential threats.

Protecting our data is crucial, yet many of us fail to recognize its importance. We need to understand that data security policies and consistent training are crucial for professionals, entrepreneurs, and corporations to stay prepared for any possible attacks. Regardless of our location, we should always adhere to data policies and take steps to secure our working environment and information. It all comes down to how we value our data.

One of the most common data security mistakes employees make is over-reliance on technical departments, often assuming that IT or cybersecurity teams alone can fully safeguard company data, neglecting their own responsibility in maintaining a secure environment.

Unauthorized sharing of organisation information either through going live on social media platforms or sharing photos and videos on public platforms. This can lead to giving away very essential brand information to competitors without knowing given your actions may only be to showcase your participation in a particular event.

Just not being competent in their day to day jobs or being trained or onboarded properly. Everyone thinks it must be a security matter but an employee that isn't well versed in their job roles are open to mistakes especially where the processing of data is involved. I have seen this happen way too many times where an employee isn't shown how to use a system properly or are not well informed of team processes...these often leads to issues that can impact the protection of personal information or leave a system open to compromise.