I’ve been in the IT game since 1981. To give you some perspective, back then, the “cloud” was just something that ruined a weekend of cricket, and a “login” was usually just turning on a machine. Fast forward through my time at the State Bank of NSW, managing tech for the Sydney 2000 Olympics, and eventually starting what is now Cloud Computer Company, and one thing has remained constant: humans are the weakest link in the security chain.
Most business owners I talk to here in Noosa and across the country think a “hack” involves a guy in a hoodie typing code at light speed. In reality, most breaches happen because someone’s password was “Password123” or they used the same login for their work email as they do for their Netflix account.
According to research, poor password practices are behind roughly 81% of data breaches. That is a staggering number. It means that the vast majority of cyber threats could be stopped dead in their tracks if we just fixed how our teams handle their logins.
Let’s dive into the seven biggest mistakes I see businesses making and, more importantly, how we can fix them.
1. The “One Password to Rule Them All” Strategy
We’ve all done it. You find a password that’s easy to remember, maybe it’s your dog’s name plus your birth year, and you use it for everything. Your banking, your social media, and your company’s internal database.
Research shows that about 41% of people reuse passwords across multiple accounts. The problem is that if a single service (like a random fitness app or a shopping site) gets breached, hackers now have the master key to your entire business life. If an employee uses their work email and a reused password, your business is essentially sitting with the front door wide open.
The Fix: You need to implement a business-grade password manager. This allows your team to generate unique, complex passwords for every single site without having to memorize them. It’s one of the first things we look at during our Google Workspace Health and Security Checkup.
2. Weak Passwords (The “123456” Standard)
It sounds like a joke, but “123456” and “password” are still among the most common logins used globally. Even predictable patterns like “Company2026” are incredibly easy for automated scripts to crack in seconds.
In my years of managed IT, I’ve seen that many employees prioritize convenience over security. If they aren’t forced to create a strong password, they won’t.
The Fix: Enforce a strict password policy. I recommend at least 16 characters, including a mix of letters, numbers, and symbols. Modern systems like Google Workspace allow you to enforce these rules at the admin level, so it’s not left to chance.
3. The Sticky Note “Security” System
Walk through almost any office, and you’ll likely find a monitor with a yellow sticky note stuck to the corner. On that note? A login and password. It’s the physical equivalent of leaving your car keys in the ignition with the engine running while you go into the shop.
It’s not just sticky notes; it’s also unencrypted Excel sheets or Word docs titled “Passwords” saved right on the desktop. If someone gains physical access to the office or remote access to that one machine, they have everything.
The Fix: Education is key here. We provide training to help staff understand that passwords belong in encrypted digital vaults, not on stationery. If it’s written down, it’s not a secret.
4. “Just Slack It to Me” (Insecure Sharing)
When a team member needs access to a tool, the common reaction is to message a colleague: “Hey, what’s the login for the marketing tool?” The colleague then replies with the username and password in clear text via Slack, Teams, or email.
Now, that sensitive information is sitting in a chat history forever. If either of those accounts is ever compromised, the hacker can simply search for “password” in the chat logs and find a treasure trove of access.
The Fix: Use secure credential-sharing tools built into your password manager. This allows users to share access to an account without actually “seeing” the password, or at the very least, keeps the data encrypted.
5. The “MFA is Too Annoying” Attitude
Multi-Factor Authentication (MFA) is the single most effective way to protect your business. It’s that extra step: like a code sent to your phone: that proves you are who you say you are. Yet, I still see business owners and employees disabling it because they find it “inconvenient” to check their phone once a day.
Without MFA, a stolen password is a successful hack. With MFA, a stolen password is just a useless string of text.
The Fix: Make MFA mandatory. No exceptions. Whether it’s for your email, your communications systems, or your cloud storage, that second layer of protection is non-negotiable in 2026.
6. Using Shared Credentials
Does your team have a “support@company.com” or “admin@company.com” login that five different people use? This is a nightmare for accountability. If something goes wrong: or worse, if data is deleted: you have no way of knowing who did it.
Shared credentials also mean that when an employee leaves the company, you have to change the password for everyone else, which leads to more sticky notes and more insecure sharing.
The Fix: Every person needs their own unique login. This is central to cloud collaboration. You can grant individual permissions to shared folders or tools, ensuring you always have an audit trail of who accessed what and when.
7. Granting Excessive Permissions (The “Keys to the Kingdom”)
In an effort to be “helpful” or “save time,” many business owners give every employee full administrative access to their systems. This is a massive risk. If a junior staff member’s account is compromised and they have admin rights, the hacker can delete your entire cloud environment or lock you out of your own business.
This also increases the risk of accidental deletions. I’ve seen entire server structures wiped because someone clicked the wrong button they shouldn’t have had access to in the first place.
The Fix: Follow the “Principle of Least Privilege.” Employees should only have access to the specific systems and data they need to do their jobs. Nothing more, nothing less. If you’re unsure how to set this up, our consultancy services can help you map out a secure access hierarchy.
How to Protect Your Business Moving Forward
Security isn’t something you “set and forget.” It’s an ongoing process of management and refinement. Since I became one of the original Google Partners back in 2008, I’ve seen the landscape shift dramatically. The tools are better now, but the threats are smarter too.
If you’re worried that your team might be making these mistakes, the best first step is an audit. We can look at your current setup, identify the gaps, and help you implement a strategy that protects your data without slowing down your workflow.
We’ve helped businesses transition from messy, insecure local setups to streamlined, secure deployment in the cloud. It’s about peace of mind: knowing that when you head to the beach or out for a round of golf, your business isn’t one “123456” away from a disaster.
Ready to lock things down? Contact us today, and let’s make sure your front door is actually locked.
About Mathew Hoffman
Mathew Hoffman is the Owner of Cloud Computer Company. He began his career in IT in 1981 and has held senior roles at the State Bank of NSW, Minet Australia, Wilhelmsen Lines, and Rothmans of Pall Mall. A career highlight was his involvement in the IT operations for the Sydney 2000 Olympics. Since 2001, Mathew has provided IT consultancy to small and medium businesses, becoming an original Google Partner in 2008 and re-branding to Cloud Computer Company in 2017. Based in Noosa, Mathew is a keen follower of cricket (having played and coached in both Sydney and the Sunshine Coast) and enjoys spending time with his family, at the beach, or on the golf course.
