Employees may be a company’s greatest asset, but they also remain the greatest cybersecurity risk, according to a Monday report from OpenVPN.

Despite an increased focus on security training, 25% of the 500 US employees surveyed report that they use the same password for every account, the report found. Another 23% of employees said they frequently click on links before verifying that they lead to a legitimate, safe website.

Of the employees that use the same password for everything, a whopping 81% said they do not password protect their computer or phone at all, according to the report.

SEE: Brute force and dictionary attacks: A guide for IT leaders (Tech Pro Research)

“Cybersecurity breaches are a matter of ‘when’ not ‘if,’ and organizations have to be ready to address hackers head on,” according to a blog post detailing the survey findings. “But with businesses so focused on external threats, they often overlook the role their own employees play in exposing vulnerabilities from inside an organization.

It should go without saying that reusing passwords is a risky behavior that can put an entire company at risk, as weak passwords can be more easily bypassed with brute force attacks. It can also cause damage to the individual, as using the same password to protect bank accounts, email, and social media can risk compromising both personal and work information, the post noted.

Traditional password best practices have recently changed: For example, the requirement of using a letter, a number, an uppercase, and a special character isn’t useful, and neither is the recommendation of changing your password every 90 days, according to Bill Burr, who published past password standards.

Instead, long, easy-to-remember phrases make the best passwords, Burr said. It is also recommended that users only be required to change their password if a breach has been suspected or confirmed.

Some employers are turning to biometric passwords such as fingerprints to enhance cybersecurity, the report found. These have generally been welcomed by employees: 77% said they trust biometric passwords, and 62% said they believe they are stronger than traditional alphanumeric codes, according to the survey. However, at this point, only about half of employees (55%) use biometric passwords.

Companies can protect their employees by creating a cyber hygiene routine that encourages workers to proactively think about their choices online, the post noted. Continuous security education and clear communication policies should be implemented at all organizations. Along with that, employers can promote positive reinforcement when employees make smart decisions, so that there is less fear to report cyber attacks. Instead of using scare tactics to warn about phishing or weak passwords, employers can think about rewarding or acknowledging individuals who embrace strong cyber hygiene.

“Building a work culture centered around good cyber hygiene takes time, but will ultimately

protect companies in the long run from online threats,” the post said. “When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments.”

Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • 25% of employees use the same password for every account. — OpenVPN, 2018
  • 23% of employees say they frequently click on links before verifying that they lead to a legitimate website. — OpenVPN, 2018