Most of us have made New Year’s resolutions. We decide to exercise more, eat better, or get enough sleep. But by mid-February, many of these plans collapse.

You’d think we failed because we didn’t know how to stay healthy. Yet every magazine cover and podcast says the same thing: “Walk more, cut back on sugar, get eight hours of sleep.”

The problem isn’t awareness; it’s consistency.

Keep It Simple, Stupid

Cybersecurity is similar. We’re all told: “Don’t click suspicious links,” “Use strong passwords,” and “Think twice before you share personal data.” We know this.

But priorities and incentives are real. We don’t care. Our current task is more important. We don’t follow through.

It reminds me of all the well-meaning awareness campaigns that bombard us: “Look out for phishing!” or “Create unique passwords!” These slogans are everywhere.

And breaches still happen.

It’s not that people haven’t heard the warnings; they simply don’t act on them, and oftentimes for very understandable reasons.

We need a different approach, one that keeps us from drifting back to our old habits.

James Clear’s work on habit-building gives us a clue. In Atomic Habits, he argues that good habits should be easy, obvious, and satisfying. That’s how we end up flossing regularly or finally sticking to a workout routine.

Instead of trying to summon heroic willpower to avoid every phishing scam or malicious program or stamp out every security flaw, we can shape our daily environment to make good security practices more natural. One meaningful shift can start a chain reaction.

Password Re-use

A clear place to start is password reuse. It’s the cybersecurity equivalent of eating fast food each day. It’s quick and convenient, and so is using the same password on multiple sites. You don’t need an expert to see the danger in both.

That’s where password managers help. They store credentials securely, autofill them when needed, and remove the headache of remembering every single one. Once you get used to the autofill option across all your devices, it’s surprisingly satisfying. It’s also obvious: you only need to keep track of one master password.

Business Grade Capabilities

For businesses, the principle is similar, but the stakes are larger. Companies can’t depend on every employee’s vigilance or hope people never click the wrong link. It’s far better to rely on strong systems like business and enterprise tier licenses of Google Workspace or Microsoft 365, which have built-in security defenses.

If you deploy two-factor authentication, you increase the level of effort for attackers to compromise accounts after a re-used password is guessed or leaked. Technology takes the burden.

Small changes in cybersecurity create momentum. Someone who tries a password manager and sees how convenient it is might also add two-factor authentication to their most important accounts.

In a business, once leadership sees how enterprise licenses and security features can reduce data breaches, they’re more likely to invest in other protective measures. That’s the trick with habits. The first one sets off a series of others.

Take a Simple Action

If you’re an individual, start by downloading a password manager like Bitwarden or 1Password and securing your top three accounts—email, banking, and social media. You don’t have to master every best practice on day one.

If you run a business, audit your current setup and consider enterprise-grade solutions. Ask how your technology teams grade their own homework.

Each move adds a layer of protection, and you don’t have to be perfect.

This is how cybersecurity habits stick. Telling everyone to “stay aware” only goes so far. Sustainable practices matter more than good intentions. And once you see real progress, the rest follows.

So here’s a challenge: pick one small step, whether it’s installing a password manager or turning on two-factor authentication.

Let that spark the next one. Over time, those tiny shifts lead to bigger change—both for you and, if you run one, your organization.