Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.
NIST SP 800-63B states mandatory password change requirements are no longer recommended outside of breaches unless you handle PII information. The issue is because the mandatory password changes cause users to resort to incredibly simple passwords or variants of easy passwords.
In our previous downtown office, we had a couple unscrupulous fellows let themselves through the lobby "security" and into our office suite. Some employees caught them before anything got stolen. Now the new building lets nobody through unless you have a badge or explicit visitor invite.