Patching and regular system updates matter for strong enterprise security. So does proactive threat detection, end-to-end encryption and good planning, among many other best practices. But no matter how strong your security stance, there always is a weak link in the chain: human error.

Employees are the biggest threat for enterprise security, and that fact will remain no matter what steps you take around IT security. For all their benefits, humans make mistakes. And that’s bad news for enterprise security.

The good news is that there are steps you can take to greatly reduce the damage from this human frailty. Chief among these steps is educating employees on security fundamentals and raising awareness so many of the most common security mistakes are avoided.

“One of the biggest challenges in preventing malware infections is the human factor,” says Limor Kessem, global executive security advisor for IBM Security. “Educating employees on the most current threats and social engineering ploys can go a long way in reinforcing [this] essential security control.”

Here are six security practices every employee should know.

1. Watch What You Click

Antivirus software and the seeming innocence of clicking around on the web have made employees lax about basic computer security. In the days of desktop installations, employees knew there was danger in using unknown software. Now that software is delivered through web browsers, though, security awareness has reduced.

This is particularly true with clicking unknown links, both in email and on the web. Employees have learned to just click. Now they need to unlearn it.

“Create security awareness among employees on best practices to avoid being baited by malware,” stresses Sridhar Iyengar, vice president of product management for software management and security solution, ManageEngine. “Avoid clicking on unknown links, avoid opening unwanted emails, using apps from unknown sources, etc.”

Help employees understand that they should be weary when clicking or opening things that come from unknown people or web sites, arrive unexpectedly, or have unusual spelling or special characters.

Teaching this to employees isn’t a one-time exercise, adds Iyengar. “Do it repeatedly and frequently.”

2. Use Strong Passwords

Financial web sites are notorious for requiring long or complex login passwords that must be changed frequently. Unfortunately, not all systems are as rigorous as the financial services industry, and there’s still plenty of opportunity for creating short or lazy passwords.

A second security practice that all employees should know, therefore, is the importance and skill around creating strong passwords that defy easy hacking.

Start by teaching what happens when employees use short, weak passwords, and how software can often easily crack these passwords for unauthorized and sometimes devastating access.

Beyond scaring employees, also help them create strong passwords that pass muster. This includes using long and memorable phrases that only the employee will know, and including a mix of both uppercase and lowercase character, numbers and letters, and special characters.

This is basic, but don’t assume all employees know this even if it is security 101.

3. Always Passcode Your Phone

Mobile is now the primary computing platform for many employees, both at home and at work. And while corporate-issued devices might require login passcodes, BYOD devices frequently don’t. That poses a great danger for corporate IT.

So a third security practice that you should teach every employee is the importance of not having open-access devices that can be used without a passcode. It doesn’t matter if that iPad stays at home most of the time and is primarily used for Netflix. If there’s any application or business use on the device, such as email, there better be a passcode blocking unauthorized use or corporate data is exposed.

You don’t know when that tablet or old home laptop will travel—or be accessed by a visitor within the home.

4. Never Share Devices or Login Credentials

Sharing is caring, but not when it comes to login accounts or computing devices.

In the age of web services, there’s the tendency to share access by passing around credentials to other employees instead of purchasing additional logins. There’s also the ever-present expediency of sharing devices momentarily in the name of getting things done.

This needs to be unlearned, and you should teach employees the value of role-based access and guest accounts. There’s a reason that employees have different access controls, and why all modern operating systems have guest accounts for when a computer needs sharing. These security precautions keep systems safe, and employees need to learn that it isn’t about corporate control and accountability as much as it is a form of threat protection.

To this end, Kessem at IBM Security suggests developing a role-based security awareness and training program.

5. Avoid Unknown Networks

Gone are the days when mobile employees only accessed corporate resources through secure virtual private networks. With the mingling of corporate and BYOD devices, and the consumerization of software used for business, employees now often conduct work outside of the office and on any Wi-Fi network they can get their hands on—often unsecured.

And while there might be nothing wrong with sending a work email from Starbucks, these unknown networks can open the door for man-in-the-middle attacks and other ways that hackers can gain access to devices that contain or interface with corporate data.

So a fifth and badly needed security practice that you should teach all employees is the security vulnerability that comes from indiscriminately connecting to the internet from any Wi-Fi network offering access.

Using insecure networks such as an unknown Wi-Fi network is just asking for a security breach, says Iyengar at ManageEngine.

Teach employees both the dangers of unknown networks, and give them an alternative such as a secure VPN or other way to access online resources while outside the office.

6. See Something, Say Something

Finally, encourage employees to keep their eyes open and watch for anything suspicious. A more alert and aware organization goes a long way toward stopping security breaches before they get out of hand.

“With eyes and ears everywhere, employees can help catch both physical and digital intrusions very early on,” says Kessem, “which will have a positive impact on the entire incident management and response cycle, as well as the company's bottom line!”

Educate and empower employees to watch out for unexpected IT behavior and “strange things” they encounter on the job, and give them a way to easily report anything that looks or feels unusual. Make sure to set the bar low so employees can easily call attention to these potential security issues as needed.

There’s no magic cure for human error, sadly. But a few basics can go a long way. So make sure your employees know these security basics.