https://www.theregister.co.uk/2018/07/25/companies_fail_to_secure_employee_accounts/

Few companies bother to secure employee accounts with simple protections like two-factor authentication (2FA) and lockouts, an analysis by security company Rapid 7 has found.

These were only the most glaring weaknesses that emerged from 268 real-world penetration tests carried out by its security staff since 2017 for the report "Under The Hoodie" (PDF).