Beginning in August, the CompTIA Information Technology Association arranged for 200 unbranded USB sticks to be dropped in public places in various cities across the nation – over the course of a few weeks, 17 percent of consumers plugged a discovered USB stick into their own device.
This USB Drop Experiment – meant to highlight poor security practices – is part of CompTIA’s latest “Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace” study, which is predominately based on an online survey of 1,200 full-time U.S. employees.
In a Tuesday email correspondence, Todd Thibodeaux, CEO and president of CompTIA, told SCMagazine.com he was surprised that 17 percent of individuals plugged a random USB stick into their own device and interacted with files on it.
“This shows that people are not aware of the potential risks of such behavior,” Thibodeaux said, later adding, “Given that malware including viruses, trojan horses and other types of code can be released by such a method, we felt it was important to highlight that these behaviors still exist – and people need to be better educated to the risks.”
For Thibodeaux, this lack of awareness could be a side effect of employees not receiving the right type of security training. According to the study, 45 percent of employees receive no security training from their employers.
A comprehensive organizational approach to security should encompass policies that define corporate security guidelines, processes to maintain security integrity, products to assist in monitoring and protection, and people who are trained to be more cyber-aware and responsible, Thibodeaux said.
One example of a good security practice is regularly changing passwords. In the study, 37 percent of respondents said they only change their work passwords annually or sporadically, and 54 percent said they only change their personal passwords annually or sporadically.
“Another rule of thumb is to never mix work and personal logins,” Thibodeaux said. “The study found that 38 percent of workers use work passwords for personal accounts, but this generates more points of exposure for organizations, and can be difficult to address without better training to spur behavioral changes.”
Employees are engaging in other risky behaviors, as well, such as using employer-issued technology for personal reasons – 63 percent said they use their work device for activities that include online banking, social media and shopping. They are also connecting to public Wi-Fi.
According to the study, 94 percent of employees connect their laptops or mobile devices to public Wi-Fi networks, and 69 percent of that group handles work-related data – including checking emails and accessing documents – while connected to public Wi-Fi networks.
The big takeaway from the study, Thibodeaux said, is that everyone must be educated and prepared.
“Without any form of training, employees are more likely to put themselves and their employers at higher risk,” Thibodeaux said. “Our hope is that these numbers will be a wake-up call for both employees and employers to improve their cybersecurity behaviors.”