How a Small Mistake Turned Into a Big Wake-Up Call About Cyber Security

How a Small Mistake Turned Into a Big Wake-Up Call About Cyber Security

We talk a lot about cyber security in business, I’m talking frameworks, compliance, best practice, fancy tools that promise the world. But most of the real damage I see doesn’t start with some complex breach or a Hollywood-style cyber attack. It starts with something that any of us could easily do.

A friend of mine recently went through exactly that. She kindly let me share her story because it shows what actually causes risk and how quickly things spiral when the basics aren’t in place.

This isn’t a scare story, it’s just real life. And it’s exactly why I’m so passionate about helping smaller businesses get the foundations right before anything else.

A Password That Had Been Around Since Forever

Like most of us, she had an email address she’d had since childhood, a Yahoo account her dad set up when she was about ten. The password had “evolved” over the years but it was just variations of the same thing.

Nothing unusual there. In fact, this is the most common security issue I come across with founders, teams, and even IT-literate people. We reuse, we repeat, we tweak a number here or there, which feels harmless.

Until it isn’t.

It turned out that years ago she’d used that same password on an old Tumblr account. That account had been hacked, the password ended up on the dark web, and eventually someone tried it on her email.

And they got straight in.

The Two-Factor Issue That Made Everything Worse

She did have two-factor authentication set up, which is great. But it was connected to an app on her phone rather than a separate email or number. That meant the attacker simply downloaded the same app, reset the password for it, and gained control of the second factor too.

Once they were in her email, they could see everything. One-time passwords for other accounts, personal documents, old rental applications with her passport photo attached. The kind of information you don’t want landing in anyone else’s hands.

This is the bit people underestimate. Email is the golden key, if someone has access to your inbox, they can reset pretty much anything.

And it all came from one reused password.

It Can Happen to Anyone

“I literally talk about cyber security all the time at work. My work accounts are so secure. But my personal stuff? I’ve been an idiot.”

This is so common across the start-up and SME space. People know what “good” looks like, but when life gets busy, personal accounts, old logins, and convenience take priority. And that’s exactly where attackers focus. Not the fancy tools, the common human habits.

She handled everything brilliantly, by the way. Contacted Action Fraud UK, got a Cifas marker, locked down every account and has now become an evangelist for strong passwords and proper 2FA.

But it shouldn’t take a crisis to get there.

What She Changed Immediately

Here are the changes she made and honestly, these are the exact basics I wish every founder and team member put in place:

1. Unique, strong passwords for every single login

Not variations. Not the same root word. Completely unique, randomly generated passwords stored in a password manager.

2. Proper multi-factor authentication

Not linked to the same app or device. Use an authentication app like Google Authenticator, backed up securely.

3. Backup recovery options

A separate email and a trusted phone number. Not just whatever’s easiest at the time.

4. Checking for password compromise alerts

Most people ignore these. She used to. Not anymore.

5. Treating personal accounts with the same seriousness as work accounts

Because attackers don’t care which one they get into, they just want a way in.

Why This Matters So Much for Start-Ups and SMEs

The reality is that 9 out of 10 breaches come down to human error, not some dramatic cyber attack. Smaller companies are hit the hardest because they’re juggling a million things at once and don’t always have trained security staff in-house.

Founders might be brilliant at what they do, but security maturity often lags behind because they’re moving quickly, rely on personal accounts for work, and haven’t had the time to put proper foundations down.

And like my friend’s story shows, the basics genuinely save you 80% of the time. It doesn’t have to be complex, expensive, or overwhelming. Sometimes it’s just getting the simple stuff right.

Risk Isn’t About Tech, It’s About Humans

If there’s one thing this story highlights, it’s that cyber security isn’t really about tools, frameworks, or certifications. Those things matter, of course, especially for companies trying to scale, close enterprise deals, or be taken seriously by investors .

But at its core, it’s all about behaviour.

The small decisions people make when they’re tired, distracted, or rushing.
It’s about the passwords left unchanged for 10 years.
Even thinking “I’ll sort it tomorrow”, and hoping nothing goes wrong today, is all part of it.

This is why I do what I do. Start-ups don’t need more confusion or fear-mongering. They just need clarity, human-first support, and someone who actually listens, not someone trying to sell them something they don’t need .

If There’s One Takeaway…

“It taught me to be way more vigilant. Things happen so quickly, and I didn’t realise how much information someone could get just from my email.”

And honestly, that’s the lesson for all of us. Cyber attacks start with people being human.

If you can tighten up those basics (passwords, 2FA, recovery routes, and avoiding reuse), you’re already miles ahead of most companies your size. 

And it’ll save you a lot of stress later on.