Study: Enterprises Fail To Test End User Awareness Training, Password Policies

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/end-user/study-enterprises-fail-to-test-end-user/240161449

Security awareness programs and strong password policies are standard
procedure in most organizations, but most enterprises don't do enough to
reinforce them, according to a new survey.

According to a study published Friday by security firm Rapid7, most
companies don't go back and test their employees to see whether they have
learned from security training and policy.

About two-thirds (66 percent) of enterprises do security awareness training
to help users recognize and avoid phishing attacks, the study says. But
only one-third (33 percent) actually test employees with simulated phishing
attacks.

"While organizations want to believe that every employee will detect a
phishing scam once it hits their inbox, that is often not the case," the
study says.

And even some organizations that do simulated phishing attacks fail to
adequately integrate those tests with their training programs, says Rohyt
Belani, CEO of PhishMe, which offers phishing awareness and simulation
services.

"If you only send simulated phishing emails to test your user base -- and
provide training in the traditional sense at a different time -- you're not
going to change behavior," Belani says. "By providing training immediately
after a person falls for a simulated phish, you're providing that training
within the context of the situation. But if training is noncontextual, you
may as well not do it."

A similar problem occurs at the password level, according to the Rapid7
study. While 90 percent of companies surveyed have a strong password policy
in place, only 56 percent of enterprises check to see whether users are
employing strong passwords on services beyond their primary Windows login,
the survey says.

"Immediately following the LinkedIn data breach in June 2012, Rapid7
compared leaked passwords from the 2010 Gawker Media breach with the stolen
passwords of LinkedIn users, and found that the same, weak passwords
publicized two years before were still being used and were often part of a
larger password/passphrase," the study says.

"While Windows login can enable domain admins to require users to create
stronger passwords, organizations must also ensure that all
password-protected assets receive the same policy," Rapid7 says.

The study recommends implementing technical controls that test and measure
end user security behavior and enforce policy.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.