Key insights
- Almost half (45%) of UK and Ireland employees regularly reuse the same or similar passwords across personal and work accounts
- More than a quarter (26%) of workers have moved company data onto personal devices or storage accounts
- Human error contributed to 95% of data breaches in 20241, underscoring the role employee behaviour can play in cyber incidents

One in five employees have shared work login details or passwords with someone outside their organisation, according to new research by Gallagher, raising concerns that everyday shortcuts in the workplace could be making businesses more vulnerable to cyber-attacks.
This could include sharing passwords with family or friends to allow them to use devices or sharing logins for social media accounts, client portals, subscriptions and admin systems with freelancers, suppliers, agencies and IT providers.
The findings come after recent high-profile cyber incidents affecting major UK retailers placed renewed focus on human behaviour and internal processes in cyber resilience. Recent reports2 suggested attackers used social engineering tactics to target IT help desks and reset employee passwords at these firms, showing how criminals can exploit people and processes, not just technical weaknesses.
According to Gallagher's research, almost half (45%) said they always or often use the same or similar passwords across personal and work accounts, creating a risk that credentials compromised through phishing or data breaches could be used to exploit workplace systems.
These behaviours may appear minor in isolation, but they can create the access points cyber criminals need to compromise systems, disrupt operations and expose businesses to significant financial and reputational fallout. Recent Gallagher and CEBR analysis found this fallout can be substantial, with cyber-attacks costing large UK businesses an estimated £11.7 billion in 2025, including £5.4 billion in operational disruption and £3.7 billion in litigation costs*.
The litigation risk is heightened for businesses when the cause of an incident can be linked back to preventable employee actions or weak internal controls. With human error reported to have contributed to 95% of data breaches in 2024, Gallagher's findings suggest behaviours such as sharing passwords externally, reusing login details or moving company data onto personal devices could leave businesses more exposed if a cyber incident leads to legal action.
Convenience outweighs security considerations
The research also points to a wider pattern of employees prioritising convenience over these safeguards.
More than a quarter (26%) said they had moved company data onto personal devices or storage accounts to make their work easier. While this may seem like a harmless shortcut, it can make it harder for businesses to know where sensitive information sits, who has access to it and what may have been compromised if an incident occurs.
That lack of visibility can make cyber incidents slower and more expensive to manage. Gallagher and CEBR research estimated that large UK businesses spent £51.2 million in staff time responding to cyber incidents in 2025, alongside £226.7 million in direct response costs, including investigation, containment, remediation and external specialist support*.
At the same time, one in four (25%) workers regularly delay installing security updates on work devices, even though software patches are often designed to fix known vulnerabilities that cyber criminals may already be exploiting.
The findings also suggest that employees may be underestimating newer areas of cyber risk. More than one in four (28%) viewed the use of cloud services or AI tools involving company data as low risk, despite growing concerns around data leakage, unauthorised access and the handling of confidential business information.
Andrew Marvin, Client Service Director at Gallagher, said: "Most employees are not intentionally trying to put their organisation at risk, but everyday shortcuts can create exactly the kinds of openings cyber criminals look for. Sharing passwords, reusing login details or moving company data onto personal devices may feel harmless, but these behaviours can quickly undermine even robust cyber security systems.
"The challenge for businesses is that cyber risk is no longer just about defending against sophisticated attacks. It is also about making sure employees understand how routine decisions can expose the organisation to disruption, data loss and reputational damage. Training, clear policies and strong controls all have an important role to play. But businesses should also understand what happens if those controls fail, including how their insurance would respond if human error contributed to a cyber incident."
Methodology:
The research amongst workers was conducted by Censuswide among 2,000 employees across the UK and Ireland, including 1,500 respondents in the UK and 500 respondents in Ireland. The survey was carried out between 31 October 2025 and 4 November 2025.
*The analysis was conducted by the Centre for Economics and Business Research (CEBR) in February 2026, based on a survey of large UK businesses (250+ employees), weighted to be representative of the large-business population. The findings were scaled to an estimated universe of 7,400 firms and estimated the share of large firms experiencing a cyberattack in the last 12 months (69% of large businesses, around 5,077, in 2025).
Firms reporting no material negative outcome were excluded from the costing exercise. Among those experiencing an attack, approximately 6% reported no negative outcome, while the remainder reported one or more adverse impacts, including business disruption, data loss, reputational damage, legal costs, lost business, ransom payments, or regulatory fines.
Costs were estimated under a severe-outcome scenario, in which each affected firm is assumed to incur the cost of its single worst cyber incident, rather than an average incident. Unit costs for this specifically were sourced from PwC's Information Security Breaches Survey (2015), which reports costs associated with large organisations' single-worst breach.