{"id":2924,"date":"2025-04-10T13:51:38","date_gmt":"2025-04-10T11:51:38","guid":{"rendered":"https:\/\/trustlab.upct.es\/2025\/04\/10\/errores-mas-comunes-de-ciberseguridad-en-las-empresas\/"},"modified":"2025-09-19T10:43:11","modified_gmt":"2025-09-19T08:43:11","slug":"most-common-cybersecurity-mistakes-in-companies","status":"publish","type":"post","link":"https:\/\/trustlab.upct.es\/en\/2025\/04\/10\/most-common-cybersecurity-mistakes-in-companies\/","title":{"rendered":"Most common cybersecurity mistakes in companies"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Why do we keep making the same mistakes?\u00a0<\/b><\/h2>

Cybersecurity has been a priority for years. Even so, every week there is new news about companies being hacked, data being leaked, or systems being paralyzed by ransomware. What is going wrong?<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

The 5 most common cybersecurity mistakes and how to avoid them<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

At TRUST Lab, we see it every day: many organizations invest in technology, but they continue to make basic mistakes. Not because of a lack of resources, but because of a lack of awareness, strategy, or simply time.<\/p>

This article is not meant to point fingers, but to shed light<\/strong>. Because if we know exactly where<\/strong> we are going wrong, we can correct course intelligently and quickly<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Underestimating the importance of internal training<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Cyberattacks don’t always start with a sophisticated hacker. Often, they start with a misplaced click.<\/strong><\/p>

One of the most common (and dangerous) mistakes is not training the team properly<\/strong>. It’s not just about teaching them how to create secure passwords, but something deeper: cultivating a digital security mindset.<\/strong><\/p>

Cybercriminals don’t come in through the door that’s hardest to open; they come in through the one that’s left ajar.<\/p>

If someone doesn’t know how to identify a phishing email, or doesn’t understand why they shouldn’t use a personal USB drive, technology won’t be able to protect you<\/strong>.<\/p>

Investing in firewalls and antivirus software is important, but if your team doesn’t know how to behave, you’re building a castle on sand<\/strong>.<\/p>

Best practices:<\/b><\/h4>
  • Ongoing training programs, not isolated sessions.<\/li>
  • Attack simulations (phishing, for example) and response analysis.<\/li>
  • Simple and up-to-date internal manuals.<\/li>
  • Area managers who ensure good practices.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
    \n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Using weak or poorly managed passwords<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    It seems unbelievable, but in 2025 there are still companies using passwords such as \u201cadmin123<\/strong>\u201d or \u201cCompany2024<\/strong>.\u201d<\/p>

    And yes, we know that remembering a thousand passwords is inconvenient… but that doesn’t justify putting the entire organization at risk<\/strong>.<\/p>

    Another common mistake: using the same password for different services<\/strong>, or sharing credentials by email or WhatsApp.<\/p>

    Security starts with the basics, and passwords are the front door.<\/p>

    Solutions that work:<\/b><\/h4>
    • Mandatory use of corporate password managers<\/strong>.<\/li>
    • Periodic rotation policies (at least every 90 days).<\/li>
    • Enabling two-factor authentication (2FA)<\/strong> on all accesses.<\/li>
    • Monitoring suspicious accesses.<\/li><\/ul>

      \u00a0<\/p>

      Remember: a single leaked password can open the door to disaster<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

      \n\t\t\t\t\t
      \n\t\t
      \n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t

      Not keeping software up to date<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t

      Outdated software is a legal loophole for attackers<\/strong>. Every day, new vulnerabilities are discovered in common programs, from operating systems to WordPress plugins.<\/p>

      If you don’t apply patches in time, you leave cracks that are already public exposed<\/strong>.<\/p>

      Did you know that WannaCry infected thousands of companies because they hadn’t updated a Windows patch that was released two months earlier?<\/p>

      Key actions:<\/strong><\/h3>
      • Automate updates whenever possible.<\/li>
      • Establish weekly review routines for critical systems.<\/li>
      • Monitor manufacturers’ security bulletins.<\/li>
      • Have inventory and patch management tools in place.<\/li><\/ul>

        \u00a0<\/p>

        Not updating is like having an alarm… without batteries. It may seem like you’re protected, but in reality, it’s already too late.<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

        \n\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t

        Not having an incident response plan<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t

        Imagine that tomorrow you detect unauthorized access to your servers. What do you do? Who do you call? What information do you need to preserve?<\/p>

        If you don’t have a clear plan, you’ll not only waste time, you’ll lose data, reputation, and a lot of money.<\/p>

        The important thing is not only to prevent the incident, but to know how to act when it inevitably occurs<\/strong>.<\/p>

        Keys to a good response plan:<\/b><\/h4>
        • Designate an incident management team (even if it is external).<\/li>
        • Simulate crises at least twice a year.<\/li>
        • Establish internal and external communication protocols.<\/li>
        • Document everything that happened for future learning.<\/li><\/ul>

          \u00a0<\/p>

          Having a plan does not eliminate risks, but it multiplies your ability to react and minimizes damage<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

          \n\t\t\t\t\t
          \n\t\t
          \n\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t

          Giving too much access without control<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t\t\t\t\t

          Often, for convenience or ignorance, unnecessary access is granted to employees, suppliers, or temporary collaborators.<\/p>

          The principle of least privilege states that each person should have only the access necessary to do their job, nothing more.<\/strong><\/p>

          The more unnecessary access you grant, the more doors you leave open to a possible internal or external attack.<\/p>

          Solutions you should implement:<\/b><\/h4>
          • Regular access audits.<\/li>
          • Elimination of inactive or orphaned accounts.<\/li>
          • Identity management with centralized control (IAM).<\/li>
          • Automatic reviews when changing roles or leaving the company.<\/li><\/ul>

            \u00a0<\/p>

            Access control is like keys in a building: if anyone can enter any room… you are losing control.<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

            \n\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t

            Other mistakes you should also avoid <\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            In addition to the big five, there are other common mistakes that you should keep an eye out for:<\/p>

            • Not performing secure and frequent backups<\/strong>.<\/li>
            • Not encrypting sensitive information<\/strong>, either in transit or at rest.<\/li>
            • Using Wi-Fi without adequate security<\/strong>, especially in small or mobile locations.<\/li>
            • Not performing penetration tests or external audits<\/strong>.<\/li>
            • Not having a clear BYOD<\/strong> (Bring Your Own Device) policy.<\/li><\/ul>

              \u00a0<\/p>

              Each of these mistakes may seem minor, but together, they can be the Achilles heel of your corporate cybersecurity<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

              \n\t\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t\t

              Are you interested in cybersecurity? <\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
              \n\t\t\t\t
              \n\t\t\t\t\t\t\t\t\t

              At TRUST lab we share exclusive content, updates and practical tips on digital privacy, data protection and cybersecurity. \ud83d\udee1\ufe0f
              Subscribe to our newsletter and stay one step ahead.<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

              \n\t\t\t\t
              \n\t\t\t\t\t\t\t
              \n
              \n

              <\/p>

                <\/ul><\/div>\n
                \n
                \n<\/fieldset>\n