Password Security and Data Breaches: Why an Aware Workforce Makes for a Secure Organisation

Today, almost every aspect of our lifestyle is connected and integrated through a digital platform - from digital payments to video conferences and now, daily work from home set-ups. As our daily life becomes increasingly more digital, the risk for identity theft and falling victim to data breaches has also heightened.  

In 2020, when the majority of the world was heavily reliant on video conferences, Forbes reported that Zoom was hit by a credential stuffing attack that has compromised 500,000 user accounts. Security researchers have found that the attackers retrieve old databases of passwords sold on dark web markets, which contains databases that are dated as long as 8 years ago i.e. 2013. 

Today, many companies have dedicated and invested significant amounts of resources to enhance their security and protect their confidential data from uninvited attacks. However, a large proportion of organisations remain susceptible to data breaches. According to research by SpyCloud, 74% of employees working for Fortune 1000 telecom companies are reusing passwords across multiple accounts. While many may assume that using a combination of symbols and word capitalisation and alphanumerics in their password will protect them from data breaches, the harsh truth is that: it does not offer sufficient security. The tendency of reusing passwords results in poor password hygiene. Naturally, nobody wants to end up with a complex long list of passwords and so, we reuse them for ease of convenience. However, this practice underscores a weak link in your security posture.

Weak passwords often pose challenges to your organisation as it leads to account takeover (ATO) and credential stuffing attacks – two security threats that often go hand in hand. Identity thefts have always been a concern as it usually leads to a leakage of confidential corporate data, sensitive credentials and more. These attacks can potentially cause significant damage for companies and there is no doubt that we can do more about it by enforcing best practices within the organisation.  

The future of identity theft and the potential for misuse 

The rise of cryptocurrencies has fueled the dark web services as people can now conduct transactions anonymously. With more sophisticated means of anonymous transactions, catching cyber criminals is like a continuous game of cat and mouse. 

In 2020 alone, big brand houses such as Microsoft, Estee Lauder and Twitter have exposed databases that disclosed millions of Personally Identifiable Information (PII) due to unsecured databases. The disclosed information may include customer name, email addresses, sensitive information such as credit card details and more. 

Discovery and Notification

1. Use multi-factor authentication

In today’s threat landscape, passwords alone will not provide enough security for your organisation. Weak passwords are one of the hacker’s top choices of weapon. In fact, According to Watch Guard, 81% of global cyberattacks exploit weak passwords. 

In this case, multi-factor authentication adds an additional layer of security to your organisation as it prevents most cyber criminals from easily gaining an initial foothold into your organisation's confidential database. This could include text or email security codes, a physical security token, biometrics, or security questions.

2. Limit account access attempts

In the event of credential stuffing, bots and other automated approaches are usually adopted to input thousands of credentials. To limit attackers’ ability to do this, your organisation should establish security policies that lock accounts after it reaches a certain number of failed logins. 

3. Alert unrecognised new devices and suspicious logins

An ATO attack often takes place from a new, unrecognised device. To counter this, organisations may use cookies or IP addresses to save approved logins. 

Enforce settings that provide an email or text message alert, when someone tries to log into their account. Strong authentication policies will allow your users to ensure that every login attempt is legitimate. This will allow your organisation to discover any illicit activity and carry out corrective measures.

Alyne’s Approach 

A security-aware workforce is a critical component of a secure organisation. In Alyne, we have dedicated Controls mapped to standards, laws and regulations in data privacy, security and data loss prevention, helping you to follow a best practice approach. We believe that employee awareness is pivotal to the organisation's protection and so we have placed a great emphasis on Alyne's ability to run large-scale Assessments in order to assess maturity and understanding, further enabling you to know where to focus your data protection efforts. 

Alyne’s has a number of out-of-the-box Control Sets that addresses topics such as Data Loss Prevention, Data Protection and Data Privacy in compliance with legal requirements from major global jurisdictions, such as GDPR, UK Privacy Act and more. Alyne's Controls are customisable, allowing your organisation to create the Controls that best suits your organisation’s area of concern. 



Alyne's highly scalable Assessment templates enable you to regularly assess maturity across your organisation and follow the correct process should a risk event occur. Business leaders can assess their data privacy baseline at scale, analyse deviations in desired maturity, and have a clearer view of where to focus their attention in improving their security measures.


In Alyne, risk and compliance managers will also be guided with an intuitive visualisation of expected vs assessed maturity results. Radar Diagram Reports in Alyne help to quickly and easily understand their threat landscape, in the context of the topics that were assessed. More importantly, the Radar Reports offer tangible value by guiding organisations to know where to focus their attention in order to strategically fill in the gap and reach their desired level of security.  

To learn more about how you can protect and enhance your data privacy and online security as you meet the requirements of EU GDPR, UK DPA, USA CCPA guidelines with Alyne's capabilities, contact our team.

Eunice Cheah

Related Posts

Outcomes: ESG Benchmarking Workshop at the RiskNET Summit 2021

Earlier this year, we were delighted to have the opportunity to be part of the in-person RiskNET Summit in Raubling, Germany. The team facilitated an interactive ESG benchmarking workshop with the candidates to assess their perceived maturity in various ESG topics. In this article, Alyne’s Head of Sales for DACH, Claudia Howe, shares the outcomes from the summit and the workshop.
Read more

Tackling The Surge In Information Security Incidents

Ransomware attacks in 2021 have become more sophisticated and disruptive than they have ever been. With this increase, it is imperative for business leaders to build up comprehensive defense against information security attacks by leveraging both mandatory and voluntary standards. In this article, Alyne Senior Consultant, Maximilian Millitzer elaborates on what business leaders should do to enable a quicker response, in the event of an information security incident.
Read more

Gearing Towards Greater Cyber Security Maturity in the Automotive Sector

The automotive industry is moving full speed ahead towards the software defined car and regulations and standards such as UN R155 and ISO/SAE 21434 have made it mandatory for businesses in the automotive industry to be compliant with cyber security management. Learn about Product Security Organisation Framework (PROOF), developed by Escrypt ad KPMG in partnership with Alyne's technology, and get the details on the upcoming workshop at escar (The world's leading automotive cyber security conference).
Read more