90% of businesses have basically zero IT security. Leaked passwords in regular use and no process or verification for password resets. As soon as someone complains that 2FA or password rotation is difficult it gets dropped. Virtually all company data is stored on USB keys, plaintext hard drives and on staff's personal home devices.
The reason they're not constantly having their data stolen is because no-one cares about the companies either.
Isn't password rotation a horrible practice because it makes people use passwords like "MyNewPassword15" since it's the 15th password reset they've been forced to do?
password rotation is generally not considered a "best practice" but not doing something because it's not a best practice is only a good strategy if you're actually going to follow the best practices. password rotation is less effective than a good password manager and long randomly generated passwords that are unique to each site. requiring passwords be rotated can be an impediment to using strong unique passwords, which is why it's not a good practice.
but a freshly rotated "MyNewPassword15" is a million times better than your password being "password", or being the same thing you use on every sketchy website whose database has been breached a dozen times.
Password rotation for your "emergency" system account (the one that shouldn't be root) still needs to be rotated every time someone with access leaves or changes job roles.
We have a custom backend website I have to log in for my work. You don't have to use a password, just an email address. The only "security" is it's on a weird URL that people wouldn't likely know if they weren't given it.
Password rotation is very insecure. No one should be doing that. I also hate when companies set maximum length for a password, like 12-16 characters. Bitch, my 32 character password is much more secure!
I believe Microsoft’s 365 platform helps a lot in that matter. Even without any security strategy or custom configuration M365 offers a better security level than those businesses could ever reach themselves.
90% if IT Security is theater, including password reset schedules, so even if a company has “policies” in place, I don’t expect any of it to secure anything. Most IT “security” would be better solved with a mandatory class on data security, but for some reason executives and IT depts push these useless policies as if they actually did anything other than make work more frustrating for 90% of people.
Which might explain why medium sized companies that are not completely clean-nosed are happy to run Windows 10 with all its spyware elements running unregulated.
It's also terrible in the government sector, which is why the NSA's huge database on US internet traffic is accessible to rivals like Russia, Iran and China.