...
Passwords
no complexity rules or regular changes (against good practice)
no self-reset of password (adds admin burden)
Multi-factor authentication (now the norm and best practice)
Pass-through authentication for staff should be investigated (access is simpler)
Monitoring
Monitoring access by users (to ID suspicious activity)
Background and links in Confluence
...