Workers are still finding it too hard to spot phishing emails, with nearly three-quarters of companies seeing staff hand over passwords when tested by a security company.
Security consultancy Coalfire tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities. It found that employees at 71% of these businesses handed over access credentials when targeted with phishing attacks by Coalfire's penetration testers -- up from 63% last year.
In 20% of cases, login details were shared by more than half of employees, compared to just 10% last year.
SEE: 10 tips for new cybersecurity pros (free PDF)
Coalfire carried out 623 penetration tests across the US, Europe and the UK, aiming to simulate a range of cyberattacks to assess how well companies were able to cope with them.
Weak passwords and insecure internal procedures, such as improper file-access restrictions and a lack of staff training, along with using out-of-date software, were the three most common vulnerabilities discovered during the tests.
"A lot of businesses are taking steps to upgrade their security infrastructure, particularly as they migrate more systems into the cloud, but still aren't addressing some of the fundamentals," said Andrew Barratt, UK managing director at Coalfire.
Overall, businesses exhibited fewer high-risk vulnerabilities than they did in penetration tests last year -- probably as a result of the shift to cloud computing, which reduces the need to secure and maintain on-premise infrastructure. The penetration tests also found badly configured cloud-security settings.
"There is a misconception from many that cloud adoption automatically means accepting more risk, but this is only true if it's done poorly," said Mike Weber, vice president Coalfire Labs.