When you\u2019re catching up on the news, it\u2019s become all too common to see stories about new breaches\u2014all of which resulting in the theft of customers\u2019 personal and financial information from businesses of all sectors. If you\u2019re a regular reader of my column, you\u2019ve probably gotten past the fallacy of thinking \u201cthat can\u2019t happen to me\u201d, but there\u2019s still something very detached about it all. Even when you get a letter or email notifying you that your information has been stolen from an online service you use, it happens so often you have a hard time seeing the urgency.\nUnfortunately, as a stakeholder in your business, there could be urgency in every breach\u2014even when it involves companies with no direct relationship to your own organization. You and your employees have accounts on systems across the Internet. Some of these sites may be work-related, such as those run by your vendors. Others, such as web-based email, social networking, and streaming media, are personal.\nA breach in any of these services represents a threat to your business as well, even in services that are strictly for personal use, never even touched at work. The issue I\u2019m talking about here is password reuse. As password policies demand longer and more complex strings of numbers, letters, and symbols, users have a more difficult time committing them to memory. Most individuals will commit one password, maybe two, to memory, and then reuse them across multiple services and systems.\nPassword reuse is a dangerous practice. Attackers are well-aware of this aspect of human nature, and take advantage of it. If they are able to obtain a user\u2019s password for one service, they will soon try that same password on every other one of the user\u2019s systems and services. Breaches of large companies are often leaked onto the public Internet after the attackers have rinsed all the profit and intelligence they wanted to gather. This covers the attacker\u2019s tracks by making it less suspicious to find the data on their own drives in the event of forensic analysis, and by having other attackers generate a lot of network activity and fraud related to the data.\nThese attacks will spread to your business\u2019 systems as well; of that you can be sure. On most of the penetration tests we conduct, we demonstrate to our clients how the database of breach credentials we have collected can be used against them. It\u2019s common to find that employees were victimized in the LinkedIn breach of 2012, and that their corporate email accounts make use of the same password. How many of your employees have been victimized in recent years\u2019 breaches? And how many of those reuse passwords across multiple systems?\nThis can be a difficult problem to address. Password length and complexity requirements do not prevent people from using the same password on their social media accounts. At a minimum, you should have a stated policy, backed by user education, that employees\u2019 passwords are not to be reused outside of the organization. This can be supported with training in password management tools, such as Keepass, that make juggling multiple passwords a lot easier for the user. Requiring users to change passwords periodically may help matters, but if you do it too frequently, users will tend towards predictable schemes for modifying their reused password each time. Checking employee accounts against collected breach databases should be part of your penetration test.\nThe next time you read about a new high-profile breach, don\u2019t just ask \u201cwhat\u2019ll I do when it\u2019s me?\u201d. Address the impact that breach will have on you. And take action.