A friend worked at a UK government site that one week complained about an increase in "Russian" attempted intrusions and literally the next week issued an instruction in an unsigned email to all staff to change their password to a new password given in plaintext in the email.
The instruction, they thought, had to be a poor phishing attempt - but no, it was a genuine email from the IT department and the friend was punished (!!) for questioning the instruction and not immediately complying.
It may not have been the same password across the organisation but their's was reportedly word based and quite short.
The instruction, they thought, had to be a poor phishing attempt - but no, it was a genuine email from the IT department and the friend was punished (!!) for questioning the instruction and not immediately complying.
It may not have been the same password across the organisation but their's was reportedly word based and quite short.