Most companies don’t do what they need to do to reduce security risks. How do I know? Because I’ve consulted for hundreds of them. They don’t patch their most attacked programs in a timely manner, and they do a poor job of teaching their users how to avoid social engineering attacks -- the two commonsense actions that would reduce their security risk most dramatically. Instead, they push for better passwords, smartcards, digital certificates, advanced firewalls, and so on. It's all good, but nowhere near as a high a priority as the top two.