"Because everything demands a password we tend to do a lot of credential duplication between our various sites," said Monahan. "It goes back to ease of use.
"But this is a critical and sometimes tragic error. Many crucial accounts are hacked because an attacker gets access to email or some other seemly innocuous account where users have reused their credentials with another far more sensitive account, such as banking or health care," he said.
The fix: Make it easier to manage multiple, complex passwords, to reduce the incentive to re-use them. Security and encryption guru and Co3 Systems CTO Bruce Schneier is among numerous experts who have recommended creating passwords by using the first letters of a phrase or sentence that is easy to remember, with a few numbers and/or symbols thrown in. He and others also recommend using a password manager — there are a number available.
Two-factor authentication also improves security, especially for common apps such as Google Gmail or Facebook, experts say. So don't rely on a password alone.
Finally, don't share passwords with anybody — that means anybody.
4. Remote insecurity: This is the common practice of transferring files between work and personal computers when working from home, or allowing family members to use a work device at home. Frymier said it can also include backing up corporate data to a third-party cloud service."
This not only exposes the company to malware, but Monahan said it also "leaves data and data residue — data left post deletion that can be retrieved with proper tools — on an unmanaged system."
Beyond that, it can expose the user to legal troubles. If there is a lawsuit that involves e-discovery and attorneys find that an employee had any of the data in question on a personal device, "they can subpoena your system and all that is on it for review and associated scrutiny," Monahan said.
The fix: It ought to be company policy — one about which employees get regular reminders — that there needs to be authorization for corporate apps or files to be used on personal devices.
This is an area where technology can help improve security, through rigorous encryption.
Lohrmann added that, "good identity management systems can control user access and provisioning — who can do what and when — and reduce the number of passwords needed to access applications."
5. Disabling security controls: This is usually done by users with administrative privileges, to make things easier for employees to use, but it can have catastrophic consequences. Obviously, if a security measure is disabled, it offers no protection.
"This is huge," Monahan said. "The ongoing battle between security and usability is one of the biggest rubs."
Sign up for CIO Asia eNewsletters.