Study of servers audited by PowerTech shows firms failing to get the basics right.
Half of servers have more than 30 users whose passwords are set to the defaults, according to a study from IBM.
The computing multinational studied data from over 200 audited servers and partitions, finding that 39% do not require users to have a digit in their passwords, with a quarter of the systems never requiring that users change their login credentials.
PowerTech's Robin Tatam, director of security technologies and author of the study, said: "Many organisations focus on external threats, but current and former employees are often responsible for data loss or theft, whether intentionally or not."
The study found one of the servers had recorded more than two million sign-on attempts with a single profile, while in a system with almost 2,000 users only a hundred had changed their password from the default.
An average of 240 profiles had not signed on in the past month on each system, with 140 of those remaining enabled and ready for use. Only a third of servers studied had put an exit mechanism in place.
Almost all the systems studied failed to prevent users from accessing critical data, despite all systems having been audited by PowerTech's Compliance Assessment in 2013.