Hackers and cyberattackers don’t always need to use high-tech hacking tools to access corporate networks and sensitive data. Sometimes, they just pass through gateways left wide open by carelessness or error.

This is according to Chris Bester, Consultant in Cybersecurity Management & Governance at BCX, who says many breaches don’t happen because of sophisticated zero-day attacks, but rather because of small, everyday slips-ups.

Speaking during a Cybersecurity Awareness month podcast hosted by BCX, Bester noted that many common under-the-radar vulnerabilities are exploited by cybercriminals – from using public Wi-Fi, unprotected personal devices and weak passwords, to vulnerable home networks used by remote employees.

“Unfortunately, convenience often trumps vigilance. People plug a phone in anywhere to charge it, or make use of the Wi-Fi because it’s free. Combating it comes down to education. Corporates must make vigilance part of their culture,” he says. 

“The man in the street is often ignorant of the need for basic protection, and is unwilling to pay for it. There are some horror stories on the internet about what happens when people aren’t vigilant.

People don’t think about the risks of not securing their home networks, or plugging their corporate device into their home network.’

Soaring cybercrime 

Bester says that cyberattacks don’t just affect corporations – they can have a direct impact on human lives. For example, when attackers target infrastructure like water-processing plants.

Interpol reports that cybercrime – and ransomware in particular – has soared in Africa in the past year. The 2025 Interpol Africa Cyberthreat Assessment Report finds that online scams, particularly phishing, are the most frequently reported cybercrimes among Interpol member countries in Africa, while ransomware and business email compromise remain widespread. 

Between 2019 and 2025, cyber-incidents across the continent resulted in estimated financial losses of over $3 billion, with the finance, healthcare, energy and government sectors among the hardest hit.

This is in line with global trends, with cybercrime proliferating worldwide, partly due to efficiencies criminals have gained by using automation and artificial intelligence (AI) to help carry out their attacks.

Despite the new technologies available to cybercriminals, human error and a lack of basic cyber-hygiene remain prime reasons why organisations fall victim to cybercrime.

While many organisations keep details of attacks under wraps, South Africa has seen a number of noteworthy attacks in recent years. 

In June this year, a ransomware attack on South Africa’s National Health Laboratory Service disrupted patient care and medical decision-making for some time after the attack. The attack was apparently launched via a phishing email.

The South African Weather Service suffered serious disruptions due to a hack of its systems earlier this year, also reportedly after a phishing attack.

Earlier this year, Pam Golding’s CRM system was breached via a user account, and personal information was leaked.

Overseas, a particularly noteworthy Business Email Compromise (BEC) attack saw a finance worker at a multinational engineering company in Hong Kong paying over $25 million to fraudsters after a videocall in which deepfakes of his senior colleagues instructed him to do so.

Attacks like these can cost organisations dearly in direct financial losses, remediation costs, downtime and reputational damage, Bester says.

Common risks to businesses

Bester highlighted several areas that are often overlooked, yet could put organisations at risk of cyberattacks.

“There’s quite a debate around passwords, and big players are moving to have biometric backup for identity management. There’s also a profound shift towards a passwordless environment and future-proofing identity,” Bester notes.

In remote work environments, routers with default credentials and IoT devices with poor security pose risks when people work from home. 

BYOD (bring-your-own-device) policies put potentially unsecured devices on the corporate network, giving them access to sensitive data within the organisation. Accountability, and moving protection to the network layer could help mitigate these risks, Bester said.

Employees working on-the-go using public Wi-Fi can put the business at risk through Wi-Fi eavesdropping, “evil twin” hotspots and session hijacking.

USB drives also pose a threat to organisations, presenting risks like malware infections, data theft, and unauthorised access.

Legacy technology such as old laptops, servers and even printers may still be connected to company networks, but because they are no longer in use, they are forgotten and are not patched and up to date. In addition, smart devices such as air conditioners and CCTV systems may be overlooked as security risks, even though they are connected to the organisation’s networks. 

Weak or reused passwords are another vulnerability, Bester says. Many people reuse the same password for all applications, or use short or insecure passwords, and businesses can’t always control this. Password managers and two-factor authentication can reduce the risk of weak passwords, while a Zero Trust approach – in which organisations implement least privilege access control – is becoming the preferred method for reducing risks due to weak or stolen login credentials.

Everyday digital hygiene

Podcast host Garith Peck, Managing Executive of Cybersecurity at BCX, comments: “It’s everyday digital habits that quietly shape our digital resilience. The future of cybersecurity won’t just be decided by new technologies, AI or Zero Trust – it will depend on how consistently we get the basics right. Digital hygiene is about the small, repetitive actions that create resilience over time.”

He highlighted basic cybersecurity hygiene measures to address overlooked vulnerabilities:

• • Use strong, unique passwords, or consider a password manager.
  • Enable multi-factor authentication wherever it’s available.
  • Keep all device software and firmware up to date. 
  • Keep a comprehensive asset register, including all devices connected to the network, and ensure that all digital assets are patched and up to date.
  • Avoid doing sensitive work (banking, confidential login) over public Wi-Fi. If you must, use a VPN.
  • Secure your home Wi-Fi: change default router logins, update firmware, and separate IoT devices on a different network if possible.
  • Be careful of the apps you install; review all permissions before installing them.
  • Back up your data regularly and ensure backups are secure and immutable.
  • Don’t use AI platforms such as ChatGPT to process or summarise sensitive company information.

“It’s the small things done consistently that make the difference in many things, particularly cybersecurity,” Bester comments. 

Pick one hygiene tip that we’ve shared and implement it. Maybe update your router’s firmware, or change a weak password, and keep working towards better cybersecurity.

To listen to the full podcast, go to https://bcx.dev.treemind.solutions/bcx-connects/