Susan’s Security Slip-Ups: Why Even Small Violations Matter
Let’s start with a scenario you might recognize. Susan is a mid-level marketing manager at a mid-sized tech firm. She’s sharp, driven, and good at her job—but she’s also the person who clicks “Reply All” on internal emails without thinking, shares files via Dropbox instead of the company’s secure portal, and occasionally uses her personal email for client communications. Her coworkers joke that she’s “always in a hurry.Consider this: ” But here’s the thing: Susan’s habits aren’t just quirks. They’re security risks that could expose her company to breaches, data leaks, or compliance nightmares. And she doesn’t even realize it Worth knowing..
This isn’t about blaming Susan. Consider this: it’s about a pattern that plays out in workplaces everywhere. And the consequences? Employees like her—well-meaning, busy, and unaware—are often the weakest link in an organization’s security chain. On top of that, whether it’s a misplaced USB drive, a forgotten password reset, or a careless click on a phishing link, these small violations add up. They’re far bigger than most people imagine.
So why does this matter? On the flip side, because security isn’t just an IT problem. That's why it’s a human problem. And if Susan’s story sounds familiar, you’re not alone. Let’s break down what’s really going on.
What Is Susan Violating? The Basics of Security Policies
Susan’s violations aren’t random. They’re rooted in specific security policies designed to protect her company. Let’s unpack what those policies typically cover and where she’s falling short Less friction, more output..
Data Handling: The Dropbox Dilemma
One of Susan’s biggest mistakes is using Dropbox to share sensitive files. Her company has a secure file-sharing platform, but she finds it “clunky.” Instead, she uploads client contracts, project budgets, and internal memos to Dropbox and sends links via email.
Here’s the problem: Dropbox isn’t encrypted end-to-end. If her account gets hacked, those files are fair game. Worse, she’s sharing them with external vendors who might not have the same security standards. This violates her company’s data classification policy, which requires all sensitive information to stay within approved tools.
Password Practices: The “Easy to Remember” Trap
Susan uses the same password for her work email, personal social media, and even her home Wi-Fi. It’s “easy to remember,” she says. But that’s exactly why it’s dangerous. If one of those accounts is compromised, hackers can pivot to her work email and access confidential data.
Her company’s policy mandates unique, complex passwords for each account and requires multi-factor authentication (MFA). That's why yet Susan skips MFA, calling it a “hassle. ” She’s not alone—many employees disable MFA because it adds an extra step. But that step is the difference between a breach and a near-miss That's the part that actually makes a difference..
Email Security: The Personal Account Pitfall
Susan occasionally uses her personal Gmail for client outreach. “It’s faster,” she argues. But her personal email isn’t monitored for security threats. If a phishing email slips through, she might click it without realizing it’s malicious. Worse, her personal account isn’t subject to her company’s email filtering rules, which block suspicious attachments and links Worth keeping that in mind. That's the whole idea..
This violates her organization’s policy on approved communication channels. All client-facing emails must go through the company’s domain to ensure they’re scanned for malware and phishing attempts Easy to understand, harder to ignore..
Why It Matters: The Real Cost of Small Violations
Susan’s habits might seem harmless, but they’re not. Here’s why even minor security lapses can have catastrophic consequences Small thing, real impact..
Data Breaches: The Silent Killer
A single careless click can open the door to a data breach. Imagine a hacker gaining access to Susan’s Dropbox account. They could steal client data, sell it on the dark web, or use it to blackmail the company. The fallout? Legal fees, regulatory fines, and a loss of customer trust And that's really what it comes down to..
In 2023, the average cost of a data breach was over $4.45 million, according to IBM. That’s not a number Susan’s company can afford to ignore Easy to understand, harder to ignore..
Compliance Nightmares
Many industries—like healthcare, finance, and government—are governed by strict regulations like HIPAA, GDPR, or PCI-DSS. If Susan’s violations lead to a breach, her company could face hefty fines. As an example, a GDPR violation can cost up to 4% of global revenue.
Even if her company isn’t in a regulated industry, non-compliance with internal policies can still lead to audits, reputational damage, and internal disciplinary action.
Reputational Damage: The Long-Term Hit
Customers and partners don’t just care about data. They care about trust. If Susan’s actions lead to a breach, the company’s reputation could take years to rebuild. Think about it: Would you trust a business that let a single employee’s carelessness expose your data?
How It Works: The Mechanics of Security Violations
Susan’s mistakes aren’t isolated. They’re part of a larger pattern of human error that security teams see daily. Let’s walk through how these violations typically unfold.
The Phishing Trap
Susan receives an email that looks like it’s from her boss, asking her to “verify” a payment. She clicks the link, thinking it’s routine. But the link leads to a fake login page. She enters her credentials, and boom—her account is compromised.
This is a classic phishing attack. Her company’s email filters might catch some of these, but not all. And if she’s using her personal email for work, she’s even more vulnerable Nothing fancy..
The USB Drive Dilemma
Susan finds a USB drive in the office break room. It’s labeled “Confidential Project.” She plugs it into her laptop to see what’s on it. Unbeknownst to her, the drive contains malware. Now her device—and the company network—are infected.
This is a common tactic used by attackers. Employees often assume lost or found devices are safe, but they’re not.
The Unsecured Wi-Fi Risk
Susan works from a café and connects to a public Wi-Fi network. She assumes it’s safe because she’s using a VPN. But if her VPN isn’t properly configured, her data could still be intercepted No workaround needed..
Public Wi-Fi networks are notoriously insecure. So naturally, even with a VPN, there’s a risk of man-in-the-middle attacks. Her company’s policy likely requires employees to use a corporate VPN or avoid public networks altogether It's one of those things that adds up..
Common Mistakes: What Most People Get Wrong
Susan isn’t the only one making these errors. Here are the most frequent security mistakes employees make—and why they’re so dangerous.
Ignoring Training
Many employees skip security training because it’s “boring” or “not relevant.” But that’s exactly why it’s critical. Training teaches them how to spot phishing emails, handle sensitive data, and use approved tools. Without it, they’re flying blind.
Overlooking Updates
Susan’s laptop hasn’t been updated in months. She assumes her IT team handles it, but if she’s not prompted to install updates, she might miss critical security patches. Outdated software is a prime target for attackers.
Sharing Passwords
Susan lets a colleague use her login to “help” with a project. That’s a violation of her company’s password policy. Sharing credentials is a major risk, as it removes accountability and increases the chance of misuse.
Using Unapproved Apps
Susan downloads a free productivity app to streamline her workflow. But the app isn’t vetted by her IT department. It could contain malware or collect her data without her knowledge Not complicated — just consistent..
Practical Tips: What Actually Works
Susan’s mistakes are fixable. Here’s how she—and her company—can turn things around.
1. Invest in Regular Training
Security awareness training isn’t a one-time event. It should be ongoing, with real-world scenarios and quizzes. Employees like Susan need to understand the “why” behind policies, not just the “what.”
