Echelon One developed a set of information security best practices based on industry standards and worked with Venafi on surveying 420 enterprises and government agencies to see how they did in terms of following these best practices.
According to the survey, 77% of respondents failed to follow the best practice of performing quarterly security and compliance training for their employees.
“Humans are the weak link” in information security, said Jeff Hudson, chief executive officer at Venafi. “What was surprising was the poor state of training for those humans….Since humans are the weak link, they are not getting trained very well, and turnover is high, the problem only gets worse”, he told Infosecurity.
Bob West, chief executive officer of Echelon One added: “Most organizations’ first reaction is, ‘OK, let’s buy a tool to solve the problem,’ when in fact managing human behavior is the most important thing for security. As a consequence, there is often no budget allocated for education and awareness.”
In addition, 64% of respondents did not encrypt data and transactions in the cloud. Salesforce.com, Google Apps and other cloud applications do not encrypt by default, leaving information open to a successful hack, West told Infosecurity.
At the same time, 90% of respondents use encryption throughout their organization. “Encryption is widely used, but it is poorly managed….Very few of the organizations are managing keys and certificates in a systematic way. This means that they are using encryption, but not using it effectively”, Hudson noted.
A full 82% of organizations surveyed do not rotate SSH keys ever 12 months to mitigate risk. “The way people are managing SSH keys is a big mess”, Hudson said.
The survey noted that SSH keys provide servers and their administrators with root-level access to critical systems and data. A key-rotation period that exceeds the average employee’s lifecycle significantly increases the risk that a former employee or malicious administrator can gain unfettered and unauthorized access, it noted.
“There are a lot of SSH keys exposed to the internet”, said West. “When you look at what people are using SSH keys for, they are using them to manage sensitive infrastructure. If they are out there exposed to the internet, then that is a significant security issue.”
Also, 55% of organizations do not have management processes in place to ensure business continuity in the event of a certificate authority (CA) compromise, such as happened with Comodo affiliates earlier this year.
“People just don’t have a contingency plan if they have a CA compromise”, Hudson noted. “CAs are going to get compromised….Without plans, people are flying in the face of disaster with no plan B.”
A total of 12 information security best practices were developed for the survey. A best practices self-assessment test is available at Venafi’s website.