Security Best Practices A Big FAIL In Most Organizations

New data released today reveals how enterprises and government agencies are failing to adopt best practices for security: nearly all of the 420 organizations that participated in the survey were at some risk in security or compliance.

The Echelon One/Venafi-sponsored survey, 2011 IT Security Best Practices Assessment, was based on 12 best security practices defined by Echelon One.

Here's how the organizations fared in the top five best practices:

Some 77 percent don't perform quarterly security and training compliance training; 64 percent don't encrypt all of their cloud data and cloud transactions; 82 percent don't rotate their SSH keys every 12 months; 55 percent don't have a process in place in the event of a certificate authority compromise; and 10 percent don't use encryption throughout their organizations.

"Training once a year is not enough. It has to be done on a regular basis, and quarterly is best," says Bob West, founder and CEO of Echelon One, who says he was shocked by the high rate of failure in the survey. "But 77 percent are not doing this."

Jeff Hudson, CEO of Venafi, says the good news from the survey is the widespread use of encryption. "But it's incredibly poorly managed. SSH keys are a mess," he says.

"Very few are thinking about encrypting data as it goes in the cloud. Ninety percent say they use encryption throughout the organization, but that number falls off drastically when data goes into the cloud," Hudson says. "As apps and data move into the cloud … there's not a well-developed thought process on how to protect data under your direct control."

"People are not planning for compromises, and the biggest ones were when people were caught flat-footed, especially with a CA room compromise, and the Comodo RA compromise," for example, he says.

Among some of the other findings from the survey: 40 percent of the respondents didn't know whether their organizations encrypted their data in Google Apps, Salesforce.com, or Dropbox, and 41 percent didn't know how often their SSH keys were rotated. Around 10 percent aren't using encryption in authentication.

Venafi and Echelon One are now offering a free self-assessment survey for organization to measure their best practices status here, as well as to obtain copy of the full report.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.