Study: Enterprises Fail To Test End User Awareness Training, Password Policies

  /     /     /  
Publicated : 22/11/2024   Category : security


Study: Enterprises Fail To Test End User Awareness Training, Password Policies


Most enterprises dont adequately test users on security training, policy, Rapid7 study says



Security awareness programs and strong password policies are standard procedure in most organizations, but most enterprises dont do enough to reinforce them, according to a new survey.
According to a
study published Friday by security firm Rapid7
(PDF), most companies dont go back and test their employees to see whether they have learned from security training and policy.
About two-thirds (66 percent) of enterprises do security awareness training to help users recognize and avoid phishing attacks, the study says. But only one-third (33 percent) actually test employees with simulated phishing attacks.
While organizations want to believe that every employee will detect a phishing scam once it hits their inbox, that is often not the case, the study says.
And even some organizations that do simulated phishing attacks fail to adequately integrate those tests with their training programs, says Rohyt Belani, CEO of PhishMe, which offers phishing awareness and simulation services.
If you only send simulated phishing emails to test your user base -- and provide training in the traditional sense at a different time -- youre not going to change behavior, Belani says. By providing training immediately after a person falls for a simulated phish, youre providing that training within the context of the situation. But if training is noncontextual, you may as well not do it.
A similar problem occurs at the password level, according to the Rapid7 study. While 90 percent of companies surveyed have a strong password policy in place, only 56 percent of enterprises check to see whether users are employing strong passwords on services beyond their primary Windows login, the survey says.
Immediately following the LinkedIn data breach in June 2012, Rapid7 compared leaked passwords from the 2010 Gawker Media breach with the stolen passwords of LinkedIn users, and found that the same, weak passwords publicized two years before were still being used and were often part of a larger password/passphrase, the study says.
While Windows login can enable domain admins to require users to create stronger passwords, organizations must also ensure that all password-protected assets receive the same policy, Rapid7 says.
The study recommends implementing technical controls that test and measure end user security behavior and enforce policy.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Study: Enterprises Fail To Test End User Awareness Training, Password Policies