When researchers publish findings about massive credential dumps, the headlines tend to focus on the scale of the numbers. But for charities and small businesses, the practical question is simpler: could someone use these stolen passwords to log into your systems right now?
The answer depends almost entirely on whether your staff reuse passwords. If a team member uses the same password for their personal email and your organisation's Microsoft 365 account, a breach of that personal email provider hands attackers the keys to your work systems too. This is called credential stuffing, and it is one of the most common ways small organisations are compromised.
The fix is straightforward. Every work account should have a unique password that is not used anywhere else. A password manager makes this practical even for non-technical staff. Combine unique passwords with multi-factor authentication on all critical accounts and you remove the vast majority of risk from credential leaks.
What to do this week: Ask your team to check their work email address on a breach notification service such as HaveIBeenPwned. Any match should trigger an immediate password change on that account and any other account using the same credentials.
SecureBridge can help you roll out a password management policy and multi-factor authentication across your organisation. Get in touch to book a free cyber health check.