Security best practices aren’t generally elite, bulletproof security measures. On the contrary, security best practices is sort of a polite way of saying “this is the very least you can possibly do and still claim to be making an effort.” It is a bar for measuring information security success, but it is a very low bar that is set as a least common denominator.
Apparently that bar isn’t quite low enough for most. Venafi and Echelon One recently teamed up to survey 420 businesses and government agencies to determine how well they follow security best practices and found that more than 75 percent do not perform periodic security and compliance training.
Venafi CEO Jeff Hudson elaborated on the survey results in an interview with Infosecurity. “What was surprising was the poor state of training for those humans. Since humans are the weak link, they are not getting trained very well, and turnover is high, the problem only gets worse.”
KnowBe4, an information security training provider, echoes the findings of the Venafi / Echelon One survey. KnowBe4 claims many organizations are not investing in security training programs, and the result is a workforce that is more susceptible to phishing attacks and other security threats.
A statement from KnowBe4 describes an experiment–the FAIL500 Project–conducted by the company. “KnowBe4 sent non-malicious simulated phishing emails to employees at more than 3,000 companies featured in the Inc. 5000; and at 485 of those firms, one or more employees clicked the email.”
Further study demonstrated that companies that conducted formal information security training significantly reduce the threat of this behavior–dropping the likelihood of a successful phishing attack by as much as 75 percent. Over time–with reinforcement–that percentage can be brought to virtually zero.