If you are a business owner or someone responsible for compliance, this topic should be addressed in your employee manual and in your IT Security Policy. We hear about new breaches every day in the news, stealing credentials from unsuspecting users. The credentials and other stolen personal information are then sold through underground, black market web sites.
An example of the risk is, PayPal or Amazon has a breach and you were among the unlucky users who had information stolen, but luckily, your account was not affected. You are notified about the issue and the breached organization recommends or requires you to change your password. In all likelihood, you probably used the password on other personal sites, so a good practice would be to change that common password on all accounts where it is used. An even better practice is to have different passwords for all your different accounts and to change them on a regular basis.
It could be months and even years before someone who purchased a list that has your user credentials on it gets around to trying it out, and if you still have the same password, they are in. If they find that your credentials worked for one site, you will become a person of interest to them because they know that you are probably using the same credentials on other sites, and most likely also using them at work. Help protect your organization by not using passwords that are used for personal accounts. It is up to the organization to teach and keep users aware of the threats that are out there.
