Most cyberattacks don’t start with a mastermind hacker typing lines of code in a movie-style lair. They start with something small.

A sticky note with a password on it.
A rushed click on a link that “looked fine.”
A laptop left unlocked while its owner grabs a coffee.

One moment like that can undo every dollar your business has spent on security. And the scary part? Hackers count on these moments. They know technology is only half the battle; the other half is human behaviour.

The good news? The same way one bad habit can open the door, one good habit can keep it shut. And if your whole team follows these six, you’ll be miles ahead of the companies that don’t.

1. Stop writing down passwords

Passwords are like house keys, they only work if you keep them safe. The moment yours ends up on a Post-it or in an unprotected file, it’s like leaving a spare key under the welcome mat.

Hackers know this. Anyone who sees that note, even for a second, can access your accounts.

Instead:

• Memorize your passwords or use a reputable password manager.

• Don’t reuse passwords across accounts.

• Keep them out of email, chat and shared documents.

2. Think before you click

Most phishing attacks don’t look like scams at first glance. They’re designed to appear familiar, urgent and legitimate; a shipping notice, a client request, a security alert.

That’s why hackers love busy people. The more distracted you are, the more likely you’ll click without checking.

Before you click:

• Hover over the link to see the real destination.

• Check the sender’s email address for typos or strange domains.

• If it feels off, confirm through another channel before acting.

3. Report suspicious activity right away

This is one of the simplest, most effective defences, and one of the most ignored.

If something looks suspicious, an odd email, a strange pop-up, your computer suddenly slowing down, tell your IT team right away. Don’t wait until after lunch. Don’t assume it’s probably nothing.

Early reports can turn a potential breach into a quick fix. Delays give threats time to spread.

4. Don’t plug in random USB drives

That free flash drive from a trade show? It might come with malware as a bonus. USB drives “found” in parking lots are a known hacker tactic; they rely on curiosity or convenience to get you to plug them in.

The moment you do, you’ve bypassed most of your company’s digital defences.

Safer approach: Only use devices issued or approved by your company. If you don’t know where it came from, don’t connect it.

5. Keep work devices for work only

It’s tempting to stream a movie, shop online or install a personal app on your work laptop. But every non-work activity increases your exposure to malicious websites, shady downloads and compromised accounts.

When you use work tech for personal use, you’re mixing trusted business systems with unverified sources, and hackers love that.

Draw a hard line: work devices are for work tasks, personal devices are for personal use.

6. Lock your screen every time you walk away

Even a quick trip to the break room is enough time for someone to access your computer. It doesn’t have to be malicious; even a curious glance at the wrong file can cause problems.

Make it second nature to lock your screen whenever you step away. Learn the keyboard shortcut for your system and use it without thinking.

The bottom line

Technology can stop a lot of threats, but it can’t fix bad habits. Every employee is part of the security team, whether it’s in their job description or not.

The companies that avoid costly breaches aren’t just the ones with the best firewalls; they’re the ones whose people build good security habits into their daily routine.

If you’re a client, these habits are reinforced in our training and systems. If you’re not, this list is your starting point. Because in the end, the difference between stopping an attack and suffering through one often comes down to small choices made in seconds.