How To Detox Your Data Security Hygiene In 90 Days

March 27, 2025

Poor password hygiene and other unsecure authentication habits continue to be a weak link for employer data security. Here are some alarming statistics from different surveys compiled by helpnetsecurity.net:

  • Common Authentication Methods: 39 percent of people believe that username and password are the most secure, and 37 percent think mobile SMS-based authentication is the most secure, both of which are highly susceptible to phishing attacks.
  • Employee Onboarding: 34 percent of employees did not receive instructions to secure their work accounts with more than just a username and password when they first started at their company.
  • Fraud Prevention Methods: Multifactor authentication (48 percent) and the use of passwords (45 percent) are the most used fraud prevention methods.
  • Password Management: 25 percent of respondents globally reuse passwords across 11 to 20+ accounts, and 36 percent admit to using personal information in their credentials publicly accessible on social media platforms and online forums.
  • Security Breaches: 19 percent of global users admitted to having experienced a security breach or data loss due to their password habits, and 23 percent confirmed their passwords had been stolen or compromised in the past.
  • Password Cracking: Longer passwords aren't safe from intensive cracking efforts.
  • Organizational Practices: 88 percent of organizations still use passwords as their primary method of authentication, and only 50 percent of organizations scan for compromised passwords more than once a month.
  • Stolen Credentials: Verizon estimates stolen credentials are involved in 44.7 percent of all data breaches, and there's a thriving underground marketplace for stolen data and credentials.
  • Password Reuse: Researchers found a 74 percent password reuse rate for users exposed in two or more breaches in the last year.

https://www.helpnetsecurity.com/2024/10/01/weak-password-practices/

Commentary

The surveys provide a bleak data security picture for employers heading into 2025. Nevertheless, employers can take several step within the next 90 days to enhance their cybersecurity posture and lower risks associated with weak password practices. Here are some effective measures:

First 30 Days

  • Conduct a Security Audit: Assess the current state of your organization's security practices, focusing on authentication methods and password management.
  • Employee Onboarding: Make sure employees know your cybersecurity policies and procedures, including password and notification policies.
  • Employee Training: Initiate training programs to educate employees about the risks of weak passwords and the importance of using strong, unique passwords for different accounts. Emphasize the dangers of password reuse and the use of personal information in credentials.
  • Mandatory Multi-Factor Authentication ("MFA"): Require MFA for all employee accounts, including email, VPN access, and other critical systems. This should include two or more of the following: something the user knows (password), something the user has (security token), and something the user is (biometric verification).

Next 30 Days

  • Review and Enforce Strong Password Policies: Implement policies requiring the use of complex passwords (e.g., a mix of upper- and lower-case letters, numbers, and symbols) and regular password changes.
  • Password Management Tools: Deploy password management solutions that securely store and manage passwords. Encourage employees to use these tools to generate and store strong, unique passwords for each of their accounts.
  • Compromised Password Scanning: Implement regular scanning for compromised passwords, ensuring that checks are performed at least monthly. Prompt employees to change any compromised passwords immediately.
  • Security Monitoring: Enhance monitoring for suspicious login attempts and other security anomalies, using tools that provide real-time alerts and responses.

Final 30 Days

  • Offboarding: Ensure that the offboarding process includes immediate deactivation of all access rights for departing employees and conduct a security review to ensure no access points are left vulnerable.
  • Policy Reviews: Establish a routine for reviewing and updating security policies, making sure they align with the latest cybersecurity best practices.
  • Employee Feedback: Gather feedback from employees regarding the effectiveness of the new measures and make necessary adjustments.

The final takeaway is do not stop after 90 days. Instill a security culture by continuing to onboard, train, and maintain your security standards for your data and systems. 

Finally, your opinion is important to us. Please complete the opinion survey: