–Have strong protections in place for any user credentials. At a minimum, passwords should be hashed (converted from plain text) and the databases encrypted. Better still, “salt” passwords by adding random strings before storing them.
–Require users create strong, long passwords.
–Offer enhanced account protections, such as SMS warnings when a user’s account is accessed from a suspect IP address or unknown device.
–Embrace multifactor authentication. If it is not a compulsory mechanism, at least start rolling it out in stages, starting with your most sensitive applications and highest-risk end users.
–Conduct regular audits and security reviews
–Require users create strong, long passwords.
–Offer enhanced account protections, such as SMS warnings when a user’s account is accessed from a suspect IP address or unknown device.
–Embrace multifactor authentication. If it is not a compulsory mechanism, at least start rolling it out in stages, starting with your most sensitive applications and highest-risk end users.
–Conduct regular audits and security reviews
(From CIO.com)