October poll results: What online risks do users underestimate the most?

To mark Cybersecurity Awareness Month, our October poll question asked: What online risks do users underestimate the most?

Let us look at the responses by focusing on the three risks that received the most mentions:

1. Poor password hygiene

Weak or reused passwords can turn one compromise into many. A single leaked credential can unlock email, SaaS, VPN, and admin consoles via credential stuffing. Attackers don’t need sophistication or resources. Basically, they just need a breached list and a bot.

Tips to reduce the risk:

• Deploy a password manager and make it the default way to log in.
• Require unique, long passphrases (16–20+ characters), or even better use passkeys.
• Ban password reuse across accounts.
• Block breached/common passwords using a deny list.
• Turn on MFA everywhere.
• Use PAM for privileged accounts (don’t use spreadsheets!)
• Disable legacy/basic authentication and shared mailbox passwords.
• Harden self-service recovery (no SMS fallback when possible; require a strong second factor).
• Watch for credential-stuffing signals such as unusual login activity and repeated failures from new networks.

2. Phishing

Phishing is the front door to most breaches. It bypasses controls by tricking users into handing over credentials or executing malware. One click can grant session tokens or MFA prompts that attackers exploit.

Tips to reduce the risk:

• Deliver regular training (e.g., quarterly) with real examples.
• Add a one-click “Report phishing” button in your mail client and route reports to IT for quick action.
• Use phishing-resistant authentication where possible (especially for admins and remote access), such as passkeys as noted above.
• Harden email posture: enforce SPF, DKIM, and DMARC; flag external senders; watch for look-alike domains.
• Protect links and attachments by enabling sandboxing, blocking executable attachments, and disabling Office macros by default.
• Stop MFA fatigue attacks by limiting prompt spamming, requiring number-matching, or configuring device-bound approvals.
• Lock down app/OAuth consent: require admin approval for new integrations, and regularly remove unused or over-privileged apps.
• Improve browser hygiene by keeping browsers/extensions updated, using DNS/web filtering, and maintaining a separate profile for admin work.
• Require a second channel for wire transfers and vendor bank-change requests.
• Have a response playbook that covers the basics: isolate the device, revoke sessions/tokens, force password reset, and review recent sign-ins.

3. Outdated software

Unpatched systems are low-hanging fruit. Known vulnerabilities get mass-scanned and exploited within days, sometimes even hours. Many organizations underestimate this because patching is easy to defer. That is, until a bug or exposed edge service gets hit.

Tips to reduce the risk:

• Treat patch management as a top priority and not as something that you’ll get to later on “when you have the time” and “things aren’t so busy.”
• Use tools that automatically scan, download, and install patches on a schedule.
• Keep it centralized: use one approach so that OS, browsers, and key apps get updated together.
• Patch what’s exposed first: prioritize internet-facing services and actively exploited vulnerabilities.
• Act on urgent vendor notices immediately; apply or mitigate the same day when severity is high.

Other risks

Here are some of the other online risks that community members feel are underestimated and ignored:

• Spoofing/rogue or fake websites
• Pretexting & impersonation attacks
• Zero-day vulnerabilities

The winners

Congratulations to our two randomly selected poll participants, Chris Franzen and Gareth Johnstone!
They have each won a $25 Amazon gift card. To claim your prize, please email asguerin@devolutions.net.

Thank you to everyone who participated in the October poll. With November underway, a new poll question will be ready soon. Stay tuned!