My kin told me that his company did well on almost all the typical areas: firewalls, physical access to datacenters, change control, OS/application patching, etc. However, they failed miserably overall because of employees.
One test that 90% of employees failed was the "free flash drive" test. The test involves dropping USB flash drives in the parking lot (or giving them away as a promotion somewhere). Software on the drive launches, does some scans, then sends PC/network data to the 'hacking' company. 9 out of 10 people picked up the drives, brought them inside the building, and plugged them into their work PCs. Ouch.
Very creative...there’s another office, a rather large one that fell for a similar scam...what was it called...? Oh yeah, the Pentagon.
One company I worked for had allowed end users to install AOL on their work computers.
Eventually, I won the battle and got that crap removed. I also removed the ability to install software in the process.
The complaints I received when I instituted a password policy that required regular password changes were unreal.