Someone asked me recently: Random question for no reason other than I'm curious - anecdotally, what do you think is the most common cyber security mistake made by people who are relatively competent with cyber security? Read on for my top three answers.
Human nature makes us lazy, we take shortcuts, and sometimes we pay the price. With credential attacks so common, its hard to imagine that seasoned cyber professionals reuse passwords. Yet with so many websites and services to log into, both at home and at work, its hard to imagine anyone that doesn't reuse some passwords at least.
Sometimes curiosity just gets the better of people, and every once in a while phishing emails are crafted well enough to fool even the best. I remember waiting desperately for a package to arrive when, and realized a second too late that the UPS tracking link in my email was a phish. I managed to avoid any consequences (defense in depth!) but the scenario speaks to the effectiveness of casting a wide net. Millions of people are expecting something on any given day - catch them with the right message and as long as the email looks somewhat reasonable, someone will fall for it.
Backups (Or Lack Thereof)
Despite relatively affordable and automated tools, many people simply don't pay enough attention to backups, especially in their personal files outside the corporate environment. There is a smug feeling that only others have accidents and only others will be compromised, and even the most risk-averse security professionals manage to find comfort in the decades old USB drive lurking somewhere in the basement trenches.
For more about systemic mistakes made by cyber security leaders, read my post Big-Picture Mistakes.