New regulations & password pressure

Like many organizations, Sorø Municipality relies on passwords as a primary line of defense. For its five-person IT team, cybersecurity posture had become increasingly challenging to maintain, particularly given the widespread password reuse habits among users who often use the same credentials across both personal and work systems.

More pressure came in 2024 when a new Danish mandate was introduced requiring all municipalities to actively scan for breached credentials. This was a challenge for an already stretched IT operations team responsible for managing the entire infrastructure and security stack end to end.

Emil has been the IT operations manager at Sorø for 18 years. He explained a key decision to implement Specops was sparked by an insight from industry webinars he attended. He was struck by the phrase “hackers don’t hack, they log in,” which crystallized the importance of protecting credentials against breaches and leaked passwords. “We’re a small team managing 2,700 users,” Emil explained. “Specops needed to just work.”

Stronger password policy + continuous scanning

To meet their new compliance targets, Sorø implemented Specops with several key security measures. The organization enforced a 14-character minimum password requirement, with plans to increase this to passphrases over 15 characters or more in the future. They also evolved their password rotation approach, moving from requiring password changes every three months to once a year.

Specops Password Policy actively blocks breached passwords from being used within the organization, providing a crucial defense against credential-based attacks. Continuous scanning runs automatically in the background, generating email alerts to the IT team when compromised credentials are detected. Daily scans continuously detect new exposures as they occur, providing real-time protection against emerging threats.

The solution can also work alongside MitID, Denmark’s national multi-factor authentication application, streamlining the user experience while maintaining security. “Specops gives us compliance and protection — with virtually no admin overhead,” Emil summarized.

Specops gives us compliance and protection — with virtually no admin overhead.

Major reduction in exposure levels

The Specops implementation has delivered impressive outcomes across multiple metrics. Breach alerts have dropped to less than one per month – a substantial reduction from their previous exposure levels. The careful manual handling of credential resets has meant zero lockouts were reported during the rollout, ensuring business continuity throughout the transition.

“Since implementing Specops, I get maybe one breach alert a month — if that,” Emil noted, highlighting the significant improvement in their security posture and the reduction in administrative overhead for his small team.
Most importantly for regulatory compliance, Sorø achieved 100% compliance with Denmark’s 2024 KL breach scan requirement. For a five-person IT team managing comprehensive infrastructure responsibilities, this combination of enhanced security and minimal operational burden has proven invaluable in meeting both regulatory demands and practical business needs. The solution is operating as a ‘set and forget’ system, requiring IT to log in at most twice per year for maintenance.

The implementation has shown proven return on investment through risk reduction and seamless regulatory compliance. “It’s great value: simple to set up, minimal effort, and real protection,” Emil concluded.

Since implementing Specops, I get maybe one breach alert a month — if that.

What’s next?

Looking ahead, Sorø has identified service accounts as the next phase of their security project. These accounts often have poorly documented passwords set by administrators, and changing these passwords can cause system breaks, presenting a unique challenge that requires careful planning and execution.

Specops solutions are particularly well-suited for organizations dealing with regulatory guidance, handling sensitive citizen or research data, and IT teams facing resource pressures. As Emil notes, the benefits for Sorø Municipality extend beyond organizational security: “The better our users’ passwords are, the safer their work and their personal lives.”