As part of a recentCompTIA research report, Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace, the Downers Grove, Ill.-based IT association conducted a social experiment to observe the cybersecurity habits of the general public. The results are alarming.
In the experiment, 200 unbranded USB flash drives were left in high-traffic, public spaces such as airports, coffee shops, and business districts in Chicago, Cleveland, San Francisco, and Washington, D.C. The USB drives were preprogrammed with text files prompting anyone who plugged in the found USB sticks to email a specific address or click through a trackable link.
The results, though unsettling, were predictable, given human nature: Over the span of a few weeks, 17 percent of employees (or about 1 in 5) picked up and plugged a drive into their electronic devices. According to the report, “Consumers’ technology literacy was not a determining factor for whether a USB stick was picked up or not. At the San Francisco International Airport, for instance, a number of IT industry workers found and plugged in the sticks. In fact, a security office located within a multinational corporation’s office building also found a stick and emailed the alias address. In their emails, a handful of respondents asked if the USB had a virus on it, showing that they were willing to jeopardize their devices despite understanding the risks involved.”
In the broader cybersecurity survey, CompTIA found that 94 percent of full-time employees regularly connect their laptop or mobile devices to public Wi-Fi networks, and of those, 69 percent handle work-related data while doing so.
Employees also practice poor password protection, with 38 percent of employees reusing work passwords for personal accounts and 36 percent using their work email address for personal correspondence. “This generates more points of exposure for organizations,” notes CompTIA. Further, 49 percent of employees have at least 10 logins, but only 34 percent have unique logins.
So what’s an IT provider to do? “Organizations need to take extra precaution and make sure they have effective training in place,” explains Kelly Ricker, senior vice president, events and education, CompTIA. “Companies cannot treat cybersecurity training as a ‘one and done’ activity. It needs to be an ongoing initiative that stretches to all employees across the organization.”