Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Study: Enterprises Fail To Test End User Awareness Training, Password Policies

Most enterprises don't adequately test users on security training, policy, Rapid7 study says

Security awareness programs and strong password policies are standard procedure in most organizations, but most enterprises don't do enough to reinforce them, according to a new survey.

According to a study published Friday by security firm Rapid7 (PDF), most companies don't go back and test their employees to see whether they have learned from security training and policy.

About two-thirds (66 percent) of enterprises do security awareness training to help users recognize and avoid phishing attacks, the study says. But only one-third (33 percent) actually test employees with simulated phishing attacks.

"While organizations want to believe that every employee will detect a phishing scam once it hits their inbox, that is often not the case," the study says.

And even some organizations that do simulated phishing attacks fail to adequately integrate those tests with their training programs, says Rohyt Belani, CEO of PhishMe, which offers phishing awareness and simulation services.

"If you only send simulated phishing emails to test your user base -- and provide training in the traditional sense at a different time -- you're not going to change behavior," Belani says. "By providing training immediately after a person falls for a simulated phish, you're providing that training within the context of the situation. But if training is noncontextual, you may as well not do it."

A similar problem occurs at the password level, according to the Rapid7 study. While 90 percent of companies surveyed have a strong password policy in place, only 56 percent of enterprises check to see whether users are employing strong passwords on services beyond their primary Windows login, the survey says.

"Immediately following the LinkedIn data breach in June 2012, Rapid7 compared leaked passwords from the 2010 Gawker Media breach with the stolen passwords of LinkedIn users, and found that the same, weak passwords publicized two years before were still being used and were often part of a larger password/passphrase," the study says.

"While Windows login can enable domain admins to require users to create stronger passwords, organizations must also ensure that all password-protected assets receive the same policy," Rapid7 says.

The study recommends implementing technical controls that test and measure end user security behavior and enforce policy.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stus
50%
50%
Stus,
User Rank: Apprentice
9/18/2013 | 9:27:07 PM
re: Study: Enterprises Fail To Test End User Awareness Training, Password Policies
Belani's comment stating the only time to train someone is after they have fallen for a phishing attack is doubtful at best. It's true that this is how Phishme does it, but there are other very effective ways to get a great results. Here is an alternative:

Do a company wide simultated phishing attack which determines your Phish-prone percentage. Then publicly announce that percentage, and tell everyone they will get security awareness training. Make that mandatory and then continue to send everyone, year-round two or three simulated phishing attacks per month. This strategy is extremely effective and we have automated this process at KnowBe4:
http://www.knowbe4.com/product...

Warm regards,
Stu
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3142
PUBLISHED: 2021-01-28
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2020-35124
PUBLISHED: 2021-01-28
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
CVE-2020-25782
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
CVE-2020-25783
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
CVE-2020-25784
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.