Revealed – One in five UK employees have shared work passwords externally

New findings show how routine workplace behaviour is widening the attack surface for UK businesses.

Revealed – One in five UK employees have shared work passwords externally

Cyber

By Josh Recamara

One in five employees have shared work login details or passwords with someone outside their organisation, according to new research from Gallagher, raising concerns that everyday workplace habits are leaving UK businesses more exposed to cyber attack. The behaviour includes sharing passwords with family or friends for device access, or passing logins for social media accounts, client portals, subscriptions and admin systems to freelancers, suppliers, agencies and IT providers.

The password-sharing finding sits within a wider pattern of employees prioritising convenience over security. Almost half (45%) of employees in the UK and Ireland said they always or often reuse the same or similar passwords across personal and work accounts, meaning credentials exposed in a personal data breach could just as easily unlock workplace systems. More than a quarter (26%) said they had moved company data onto personal devices or storage accounts to make their work easier, leaving businesses less able to track where sensitive information sits. One in four (25%) regularly delay installing security updates on work devices, and more than one in four (28%) view the use of cloud services or AI tools involving company data as low risk.

A 2024 study by cybersecurity firm Mimecast - the most recent available - found that human error contributed to 95% of data breaches that year, driven largely by insider threats, credential misuse and user mistakes.

Social engineering in the spotlight after retailer attacks

The findings arrive in the wake of high-profile cyber incidents at UK retailers that exposed how human behaviour, not just technical defences, determines whether an attack succeeds. Marks & Spencer, the Co-op and Harrods were all targeted in 2025 by the hacking group Scattered Spider, which impersonated employees in calls to IT help desks and persuaded staff to reset passwords and multi-factor authentication on privileged accounts. The M&S breach kept online ordering offline for roughly six weeks and was estimated to have cost the retailer around £300 million in lost profit. Gallagher's research suggests the vulnerabilities Scattered Spider exploited are not exceptional - they are routine.

Separate Gallagher and CEBR research estimated large UK businesses spent £51.2 million in staff time responding to cyber incidents in 2025, alongside £226.7 million in direct response costs covering investigation, containment and remediation.

Market implications for UK cyber insurers

The findings arrive as the UK cyber insurance market remains firmly in soft-market territory, with brokers reporting that pricing for SME and mid-market risks has continued to fall even as claims frequency rises. Insurers are competing increasingly on policy breadth and added services rather than price, while tightening underwriting scrutiny of access controls. Multi-factor authentication on admin, remote and email access, alongside endpoint detection and evidence of regular patching, are now standard preconditions for cover - putting Gallagher's findings on password reuse and delayed updates squarely in underwriters' sights.

A UK protection gap persists alongside this. Cyber insurance take-up among UK SMEs sits at just over 40%, compared with around 63% for medium-sized firms and roughly 70% among FTSE 100 companies. Brokers have noted that recent incidents affecting supply chains - including the Jaguar Land Rover ransomware attack - have shifted SME buying behaviour by reframing cyber cover around business interruption and supplier dependency rather than data loss alone.

Regulatory pressure is building. The Cyber Security and Resilience Bill, which would tighten incident reporting duties and widen the scope of regulated entities to include managed service providers and data centres, is progressing through the House of Lords after clearing the Commons, with Royal Assent expected later in 2026. The National Cyber Security Centre reported 204 nationally significant incidents in its most recent annual reporting period, more than double the number recorded in the prior year.

"The challenge for businesses is that cyber risk is no longer just about defending against sophisticated attacks. It is also about making sure employees understand how routine decisions can expose the organisation to disruption, data loss and reputational damage. Training, clear policies and strong controls all have an important role to play," said Andrew Marvin, client service director at Gallagher. "But businesses should also understand what happens if those controls fail, including how their insurance would respond if human error contributed to a cyber incident."

The findings add to a growing body of evidence that insurers and brokers are treating employee behaviour, not just technical defences, as a core underwriting concern in an increasingly competitive UK cyber market.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!