This post comes from a personal moment, not from watching a client make a mistake.
I was deep in it this weekend — building automations, three instances of Claude Code open, ideas flying. I was in the zone and I did not want to stop. At one point I had to deal with an API key — basically a special password that lets two tools talk to each other — and instead of immediately handling it properly, I tempted myself, I can just throw it in here and test quickly now and then clean it up later.
I’ll fix it… clean it up… deal with it… later. Sound familiar?
The narrator would interject here, but later never came….
Here's the real problem
It's not that you don't care about security. It's that the moment you're tempted to cut the corner is almost always your best moment — when you're building something, moving fast, and stopping feels like losing momentum.
So you make a small promise. Just this once. Just for now.
And then later never comes. Life fills back up. You forget what you did. And that small shortcut quietly sits there — an unlocked door you walked away from.
That's not recklessness. That's being human and running a business at the same time.
It happens more than you think
Here are ten situations where what seems like the easy thing in the moment is the risky thing — and how it can be better:
| The Shortcut | The Real Risk | What to Do Instead |
| Reusing the same password everywhere | One breach unlocks everything you own | Use a password manager — it seems like extra work until you start using it — then, you realize you never have to create or remember a strong password again |
| Staying logged into a device | Anyone who picks it up walks right in | Set auto-lock after 2–5 minutes of inactivity |
| Clicking "remind me later" on updates | Unpatched software is a top entry point for attackers | Turn on automatic updates and let it run – and don’t forget to restart your machine or app after! |
| Sharing your login with a contractor | You lose control of who has access — and when | Create a separate account with only the access they need |
| Using personal email for business accounts | Personal accounts have fewer controls and no admin oversight | Keep a dedicated business email with 2FA turned on |
| Skipping backup setup because it feels complicated | One ransomware attack or hard drive failure can wipe everything | Set up automated cloud backup once and let it run |
| Approving app permissions without reading them | Apps can access your contacts, files, and camera unnecessarily | Review permissions quarterly and revoke what you don't recognize |
| Responding to urgent emails without verifying | Urgency is a phishing tactic — it shuts down critical thinking | Pause and verify through a separate channel before clicking anything (there are a number of scanners and skills that can help) |
| Using public Wi-Fi without a VPN | Public networks can be monitored or faked | One tap on a VPN app before you connect is all it takes |
| Skipping account recovery setup | Getting locked out of your own account at the worst time is very real | Add a recovery email and backup phone number today — before you need it |
None of these feel dramatic when you are in a hurry. That's exactly what makes them dangerous.
The thing a good security person actually does
Here's what I want you to take from this — because it matters more than any checklist.
A good security professional doesn't just hand you a list of rules and walk away. They design things for you so that the right thing to do is the easy thing to do. They remove friction from the secure path so you don't have to fight your own workflow to stay protected.
Think about how logging into your phone has changed over time. Early smartphones required a typed PIN every single time, and plenty of people just turned it off — too annoying. Then came fingerprint readers. Then Face ID. The security didn't get weaker. It got frictionless. And because it got frictionless, people actually used it.
That's the same principle we should be building into our businesses.
When your password manager auto-fills a strong password, you don't have to think about it — it just happens. When your laptop auto-locks, you don't have to remember to lock it. When backups run automatically, you don't have to remember to run them. The secure behavior is baked in.
Good tools are moving in this direction too
You've probably already noticed this shift, even if you didn't have a name for it:
- Passkeys are replacing passwords on many platforms entirely — your device authenticates you, and there is nothing to steal or phish
- Single Sign-On (SSO) lets you securely access multiple tools with one verified identity instead of juggling separate logins
- OAuth connections let tools talk to each other without you handing over your actual password
- Browser warnings flag unsecured sites before you submit anything
- Email clients surface suspicious senders before you even open the message
These aren't accidents. They are intentional choices made by people who understood that security only works when people actually use it.
How to start making the right thing the easy thing
You don't have to rebuild everything at once. Start here:
- Set it up once, let it run. Automatic updates, automatic backups, auto-lock on devices — five minutes of setup, protected from here on out
- Keep your tools close. A password manager on your phone means you never have an excuse to reuse a password
- Use your calendar as a security assistant. When you share access or grant permissions, drop a 30-day reminder to review it — right then, before you move on
- Ask this when evaluating a new tool: Does it make the secure option the default, or do I have to dig through settings to find it? That answer tells you a lot about how seriously they take your security
The goal is not to be perfect. The goal is to stop relying on willpower and "I'll fix it later" — and start building systems that protect you whether you remember to or not.
And for the record…
Remember that API key situation I opened with? I realized I wasn't set up in a way that made it easy to save a key quickly and safely in this new way of working — so I invested a few minutes to fix that. I set up the right environment so that next time, the secure option is right there, ready to go. No excuses. No friction. No "I'll do it later."
That's the move. Not perfection. Just making it easier on yourself to do the right thing.
