Password Security and Data Breaches: Why an Aware Workforce Makes for a Secure Organisation

Today, almost every aspect of our lifestyle is connected and integrated through a digital platform - from digital payments to video conferences and now, daily work from home set-ups. As our daily life becomes increasingly more digital, the risk for identity theft and falling victim to data breaches has also heightened.  

In 2020, when the majority of the world was heavily reliant on video conferences, Forbes reported that Zoom was hit by a credential stuffing attack that has compromised 500,000 user accounts. Security researchers have found that the attackers retrieve old databases of passwords sold on dark web markets, which contains databases that are dated as long as 8 years ago i.e. 2013. 

Today, many companies have dedicated and invested significant amounts of resources to enhance their security and protect their confidential data from uninvited attacks. However, a large proportion of organisations remain susceptible to data breaches. According to research by SpyCloud, 74% of employees working for Fortune 1000 telecom companies are reusing passwords across multiple accounts. While many may assume that using a combination of symbols and word capitalisation and alphanumerics in their password will protect them from data breaches, the harsh truth is that: it does not offer sufficient security. The tendency of reusing passwords results in poor password hygiene. Naturally, nobody wants to end up with a complex long list of passwords and so, we reuse them for ease of convenience. However, this practice underscores a weak link in your security posture.

Weak passwords often pose challenges to your organisation as it leads to account takeover (ATO) and credential stuffing attacks – two security threats that often go hand in hand. Identity thefts have always been a concern as it usually leads to a leakage of confidential corporate data, sensitive credentials and more. These attacks can potentially cause significant damage for companies and there is no doubt that we can do more about it by enforcing best practices within the organisation.  

The future of identity theft and the potential for misuse 

The rise of cryptocurrencies has fueled the dark web services as people can now conduct transactions anonymously. With more sophisticated means of anonymous transactions, catching cyber criminals is like a continuous game of cat and mouse. 

In 2020 alone, big brand houses such as Microsoft, Estee Lauder and Twitter have exposed databases that disclosed millions of Personally Identifiable Information (PII) due to unsecured databases. The disclosed information may include customer name, email addresses, sensitive information such as credit card details and more. 

Discovery and Notification

1. Use multi-factor authentication

In today’s threat landscape, passwords alone will not provide enough security for your organisation. Weak passwords are one of the hacker’s top choices of weapon. In fact, According to Watch Guard, 81% of global cyberattacks exploit weak passwords. 

In this case, multi-factor authentication adds an additional layer of security to your organisation as it prevents most cyber criminals from easily gaining an initial foothold into your organisation's confidential database. This could include text or email security codes, a physical security token, biometrics, or security questions.

2. Limit account access attempts

In the event of credential stuffing, bots and other automated approaches are usually adopted to input thousands of credentials. To limit attackers’ ability to do this, your organisation should establish security policies that lock accounts after it reaches a certain number of failed logins. 

3. Alert unrecognised new devices and suspicious logins

An ATO attack often takes place from a new, unrecognised device. To counter this, organisations may use cookies or IP addresses to save approved logins. 

Enforce settings that provide an email or text message alert, when someone tries to log into their account. Strong authentication policies will allow your users to ensure that every login attempt is legitimate. This will allow your organisation to discover any illicit activity and carry out corrective measures.

Alyne’s Approach 

A security-aware workforce is a critical component of a secure organisation. In Alyne, we have dedicated Controls mapped to standards, laws and regulations in data privacy, security and data loss prevention, helping you to follow a best practice approach. We believe that employee awareness is pivotal to the organisation's protection and so we have placed a great emphasis on Alyne's ability to run large-scale Assessments in order to assess maturity and understanding, further enabling you to know where to focus your data protection efforts. 

Alyne’s has a number of out-of-the-box Control Sets that addresses topics such as Data Loss Prevention, Data Protection and Data Privacy in compliance with legal requirements from major global jurisdictions, such as GDPR, UK Privacy Act and more. Alyne's Controls are customisable, allowing your organisation to create the Controls that best suits your organisation’s area of concern. 



Alyne's highly scalable Assessment templates enable you to regularly assess maturity across your organisation and follow the correct process should a risk event occur. Business leaders can assess their data privacy baseline at scale, analyse deviations in desired maturity, and have a clearer view of where to focus their attention in improving their security measures.


In Alyne, risk and compliance managers will also be guided with an intuitive visualisation of expected vs assessed maturity results. Radar Diagram Reports in Alyne help to quickly and easily understand their threat landscape, in the context of the topics that were assessed. More importantly, the Radar Reports offer tangible value by guiding organisations to know where to focus their attention in order to strategically fill in the gap and reach their desired level of security.  

To learn more about how you can protect and enhance your data privacy and online security as you meet the requirements of EU GDPR, UK DPA, USA CCPA guidelines with Alyne's capabilities, contact our team.

Eunice Cheah

Related Posts

Real-Time Operational Risk Management in Financial Institutions (Part 1)

With this new article series, we explore and provide insights into Real-Time Operational Risk Management. In this first article, we deep dive into the many challenges of Operational Risk Management in many financial institutions and the goal of achieving an Integrated Risk Management approach that enables the organisation to make risk aware decisions that efficiently focus its resources and increase efficiency.

2021 Recap: Celebrating a Groundbreaking Year

2021 marks an incredible year for Alyne, now part of the Mitratech portfolio. The team invested a tremendous amount of effort and hard work to drive new growth, nurture opportunities, spark meaningful conversations, and incorporate powerful functionality into the platform. Take a look at our work, achievements and snapshots from the year.

Alyne's Assessments: Measuring Compliance Against Multiple Maturity Models

Assessments are an essential tool for measuring compliance. Recently within Alyne, we have improved our capabilities to cover Multiple Maturity Models, which enables users to configure more than one maturity model in their organisation and measure compliance in the levels of their choice. Using this feature, teams can create and customise levels to their Controls, assess compliance across multiple maturity models, create Reports and leverage this functionality in Alyne's Continuous Controls.