Social Experiment Highlights Abysmal Security Hygiene

Written by

Between August and October 2015, 200 unbranded USB sticks, preprogrammed with text files, an alias email address and a unique, trackable link were dropped in high-traffic public spaces such as airports, coffee shops and business districts in Chicago, Cleveland, San Francisco and Washington, D.C.

The effort was part of a social experiment on security awareness. According to a research paper from IT industry association CompTIA, dubbed Cyber Secure: The State of Employee Cybersecurity in 2015, 18% of those who picked up the USB drives plugged them into their devices, opened the text file, clicked on the unique link or emailed the listed address.

In other words, nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer.

Interestingly, about 40% of Millennials are likely to pick up a USB stick found in public, compared to 22% of Gen X and just 9% of Baby Boomers.

The findings from the research underscore the need for more general awareness, CompTIA noted, as well as more proactive security IT measures—and both are areas that channel partners can play a big role in. For example, they can help clients create annual, ongoing initiatives that provide education on the evolving threats, and best practices for avoiding a cybersecurity incident; and, they can help in selecting the right security solutions and services for increasing the security of their IT environments.

“We can’t expect employees to act securely without providing them with the knowledge and resources to do so,” said Todd Thibodeaux, president and CEO, CompTIA. “Employees are the first line of defense, so it's imperative that organizations make it a priority to train all employees on cybersecurity best practices.”

Yet according to a CompTIA-commissioned survey of 1,200 full-time workers across the US, 45% say they do not receive any form of cybersecurity training at work. Among companies that do administer cybersecurity training, 15% still rely on paper-based training manuals.

Contributing to the potential cyber-threat, the survey also found 94% of full-time employees regularly connect their laptop or mobile devices to public Wi-Fi networks; and of those, 69% handle work-related data while doing so.

“These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal,” Thibodeaux noted.

Employees also practice poor password protection, as 38% of employees have repurposed work passwords for personal purposes. Further, 36% of employees use their work email address for personal accounts. This generates more points of exposure for organizations, and can be difficult to address without better training to spur behavioral changes.

As seen in the social experiment, age also factors into cybersecurity awareness; Baby Boomers, Gen X and Millennials each present unique security challenges and risks to organizations. The survey saw that 42% of Millennials have had a work device infected with a virus in the past two years, compared to 32% for all employees. The riskiness shows: 27% of Millennials have had their personal identifiable information hacked within the past two years, compared to 19% of all employees.

“With the wave of new workers coming in, organizations need to take extra precaution and make sure they have effective training in place,” said Kelly Ricker, senior vice president, events and education at CompTIA. “Companies cannot treat cybersecurity training as a one and done activity. It needs to be an ongoing initiative that stretches to all employees across the organization.”

What’s hot on Infosecurity Magazine?