The latest headlines are staggering. A massive leak of 16 billion passwords—spanning services like Apple, Google, Facebook, GitHub, Telegram, VPNs, government portals, and more—has been reported in what some are calling the largest data breach ever recorded. While the full scope of the event is still unfolding, one thing is clear: businesses should treat this as a direct threat to their cybersecurity posture.

Compromised credentials are the easiest way for attackers to walk into your digital front door. So, what’s a small or mid-market enterprise to do, especially if they don’t have a large internal IT team? It starts with being proactive and focused… and going back to basics. Below are six actions your organization should take immediately to protect itself:

1. Change All Critical Passwords—Now

Don’t wait to see if your credentials were in the breach. Assume they were. Start with the most sensitive systems—email, administrative accounts, VPNs, firewalls, financial platforms, cloud infrastructure, and customer portals—and do the following: 

• Require immediate password resets for all users with advanced privileges.
• Instruct your team to update credentials on any personal accounts that use business emails.
• Review and change passwords on any third-party integrations or APIs.

2. Use Complex Passwords and Passphrases

If your business is still allowing users to create short or simple passwords like “Company123,” it’s time to change the policy—today. First, consider a password manager to help your team generate and store strong passwords without having to think about it. Otherwise, policies to enforce include:

• Use passphrases: Long, memorable phrases like “BlueCoffeeCup@Midnight2025” are both user-friendly and highly secure.
• Length over complexity: A 16-character password is exponentially stronger than an 8-character one, even with symbols.
• No password reuse: Ensure your staff isn’t using the same password across systems, as one breach opens all doors when credentials are recycled.

3. Enforce Multi-Factor Authentication (MFA) Everywhere You Can

Passwords are no longer enough to prevent unauthorized access. If you don’t have MFA enabled yet, you are unnecessarily vulnerable, since attackers armed with stolen credentials can’t do much if they’re stopped by a second factor. Actions to consider:

• Force MFA on all email, VPN, cloud services, and critical applications.
• For highly sensitive functions such as administrative access or financial transactions, apply more secure methods like hardware keys.
• Make MFA non-negotiable, without exception.

4. Monitor and Log All Critical Assets

If you can’t see what’s happening in your environment, you can’t stop an active attack. Unfortunately, all too often, breaches can go unnoticed for months. The only way to detect suspicious behavior is with proper visibility.

• Enable logging and alerting on all critical infrastructure: firewalls, servers, cloud accounts, authentication systems, etc.
• Use centralized log management or a SIEM to correlate events and identify anomalies.
• Set alerts for common signs of compromise: multiple failed logins, logins from unusual locations or times, or unexpected privilege escalations, for example.

5. Invest in Security Awareness Training (SAT)

When it comes to protecting your organization, your people are both your greatest defense and your greatest risk. Educate them accordingly, for example:

• Conduct ongoing SAT—not just a slide or two in the company meeting or an occasional mass email advisory.
• Include real-world phishing simulations and training tailored to your business.
• Teach employees how to recognize social engineering, spot suspicious activity, and respond quickly.

6. Reset All Active Sessions and Tokens Immediately

If credentials were compromised, attackers may already have active sessions in your systems. You need to act fast to minimize the window of opportunity for an attacker to exploit valid credentials, including: 

• Force logouts across all platforms.
• Revoke and reissue any access tokens or API credentials.
• Deny old authentication sessions wherever possible to invalidate unauthorized access.
• Review active directory and IAM (Identity Access Management) logs to look for suspicious session activity.

Final Thoughts

In a threat landscape where billions of credentials are circulating freely, businesses must assume they’re at risk and ask themselves, “What can we do to shut the door now?”

Security doesn’t have to be complex—but it does have to be proactive. The six steps above are table stakes in today’s environment. Implement them quickly and thoroughly. And if you don’t have the resources on staff to do so yourself, partner with experts like our team at Netrio to take care of it for you. 

Need help navigating your next steps or evaluating your exposure? Let’s talk – Contact us NOW!