Cyberattacks often succeed not because of weak systems, but because of everyday human oversights. When an employee clicks on an invoice that looks legitimate, trusts a familiar voice on a routine call, or shares access to data with the wrong vendor, they can open the door to costly breaches.
Whereas cybersecurity at large protects your organization’s information and data, the concept of “cyber hygiene” encapsulates the habits, decisions, and awareness that can reduce risks.
“Each individual plays a crucial role in protecting the most important asset of any organization: their data,” says Bob Besharat, chief product and technology officer at Portage CyberTech and instructor of Cybersecurity solutions at Concordia Continuing Education.
Drawing on his rich experience leading innovation and teaching professionals across industries, Besharat helps learners understand how daily responsibilities connect to real-world security risk.
“The modern workplace is no longer a castle with impenetrable walls, but a living ecosystem,” he says. “Security awareness must be built into the culture of the organization, practiced consistently, and supported at every level.”
Cyber hygiene starts with habits that are easy to overlook but essential to get right. Password reuse is still a common vulnerability. Besharat emphasizes the importance of using strong, unique passwords for every system to prevent a breach in one platform affecting others. Password managers simplify this process and should be seen as a baseline tool.
Multi-factor authentication, he says, is a foundational act of cyber hygiene and blocks countless unauthorized authentication attempts.
Email is still one of the easiest ways in. Phishing breaches work because they often mimic daily tasks or common interactions with messages that arrive during busy moments. Hackers use AI to craft more personalized phishing attacks, making it one of the preferred methods for criminals. Spotting suspicious addresses, links and requests is a critical line of defense.
Device use also matters. Many professionals switch between personal and work devices, connect from public networks or ignore update prompts.
Bob Besharat, chief product and technology officer at Portage CyberTech
These small choices can expose company systems.
Besharat encourages professionals to think critically about how and where they work. If a personal device connects to organizational systems, for example, it must meet internal security standards. The onus is on the user to confirm that.
While prevention is vital to cybersecurity, Besharat advises employees to go a step further. He recommends that non-IT professionals learn basic incident response skills — knowing when to escalate and how to report something unusual. Saving a suspicious message or avoiding tampering with a compromised system can help IT respond faster and limit damage.
“A one-size-fits-all approach is insufficient in today’s complex threat landscape,” Besharat notes.
While developers need secure coding practices, finance teams must recognize evolving invoice fraud while HR must guard against phishing aimed at employee data. That’s why a tailored approach helps create an organization-wide security posture.
Besharat points to hands-on, cross-functional training — like simulations and internal competitions — as especially effective. When training feels relevant to existing employee duties, they’re more likely to retain key information, stay engaged, and report issues faster. When professionals aren’t just avoiding mistakes but also actively protecting the organization, it's a sign that cyberhygiene is working.
Besharat highlights quickly evolving risks powered by AI, including personalized phishing emails and voice fraud known as vishing. In addition, deepfakes can simulate executive voices or video calls, and quantum computing may one day undermine existing encryption.
These trends may seem abstract, but their impact is tangible.
Professionals must adopt a mindset where verification is expected, authentication is routine, and communication between teams is open and responsive. Organizations that normalize this culture are better equipped to respond and recover.
While the organizational payoff is clear, individuals who expand their understanding of digital risk become more effective collaborators, Besharat explains. They can manage sensitive data confidently, communicate clearly with IT and lead secure, cross-functional projects — all of which increase both their visibility and their value.
“Cybersecurity is a multidisciplinary field that requires diverse perspectives,” Besharat says. “The ability to bridge the gap between technical and non-technical aspects, translate complex concepts into business language, and foster cross-departmental collaboration can be invaluable."
© Concordia University