Find a Flash Drive, Pick it Up: Experiment Shows How Lack of Cybersecurity Knowledge Can Impact Organizations

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.prnewswire.com/news-releases/find-a-flash-drive-pick-it-up-experiment-shows-how-lack-of-cybersecurity-knowledge-can-impact-organizations-300165605.html

Nearly one in five people who found a random USB stick in a public setting
proceeded to use the drive in ways that posed cybersecurity risks to their
personal devices and information and potentially, that of their employer, a
recent experiment conducted on behalf of CompTIA <https://www.comptia.org/>,
the IT industry association, revealed.

With the cybersecurity threat landscape facing companies growing
increasingly complex, employees who practice unsafe cybersecurity habits
put both themselves and their employer at risk.

"We can't expect employees to act securely without providing them with the
knowledge and resources to do so," said Todd Thibodeaux, president and CEO,
CompTIA. "Employees are the first line of defense, so it's imperative that
organizations make it a priority to train all employees on cybersecurity
best practices."

Yet according to a CompTIA-commissioned survey of 1,200 full-time workers
across the U.S., 45 percent say they do not receive any form of
cybersecurity training at work. Among companies that do administer
cybersecurity training, 15 percent still rely on paper-based training
manuals.

The survey and corresponding whitepaper, *Cyber Secure: A Look at Employee
Cybersecurity Habits in the Workplace*
<https://www.comptia.org/resources/cyber-secure-a-look-at-employee-cybersecurity-habits-in-the-workplace>
*,* examines technology use, security habits and level of cybersecurity
awareness of workers.

Along with the survey, CompTIA commissioned a social experiment to observe
first-hand cybersecurity habits.

In the experiment, 200 unbranded USB flash drives were left in
high-traffic, public locations in Chicago, Cleveland, San Francisco
and Washington,
D.C. In about one in five instances, the flash drives were picked up and
plugged into a device. Users then proceeded to engage in several
potentially risky behaviors: opening text files, clicking on unfamiliar web
links or sending messages to a listed email address.

"These actions may seem innocuous, but each has the potential to open the
door to the very real threat of becoming the victim of a hacker or a
cybercriminal," Thibodeaux noted.

Contributing to the potential cyber threat, the survey found 94 percent of
full-time employees regularly connect their laptop or mobile devices to
public Wi-Fi networks; and of those, 69 percent handle work-related data
while doing so.

Employees also practice poor password protection, as 38 percent of
employees have repurposed work passwords for personal purposes.

Further, 36 percent of employees use their work email address for personal
accounts, while 38 percent use work passwords for personal accounts. This
generates more points of exposure for organizations, and can be difficult
to address without better training to spur behavioral changes.

Additional highlights from the survey include:

   - 63 percent of employees use their work mobile device for personal
   activities.
   - 27 percent of Millennials have had their personal identifiable
   information hacked within the past two years compared to 19 percent of all
   employees.
   - 41 percent of employees do not know what two-factor authentication is.
   - 37 percent of employees only change their work passwords annually or
   sporadically.

Age also factors into cybersecurity awareness; Baby Boomers, Gen X and
Millennials each present unique security challenges and risks to
organizations. Forty-two percent of Millennials have had a work device
infected with a virus in the past two years, compared to 32 percent for all
employees. Forty percent of Millennials are likely to pick up a USB stick
found in public, compared to 22 percent of Gen X and nine percent of Baby
Boomers.

"With the wave of new workers coming in, organizations need to take extra
precautions and make sure they have effective training in place," said Kelly
Ricker, senior vice president, events and education, CompTIA. "Companies
cannot treat cybersecurity training as a one-and-done activity. It needs to
be an ongoing initiative that stretches to all employees across the
organization."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!