A recent study found that almost one in five people who found a lost USB stick in public used it ways that posed cyber security risks to their personal devices, and potentially to their employers.
The research, commissioned by CompTIA and conducted by the Blackstone Group, included a survey of 1,200 full-time U.S. employees as well as a social experiment in which 200 USB flash drives were left in public locations in Chicago, Cleveland, San Francisco and Washington, D.C.
The survey found that 63 percent of employees use their work mobile device for personal activities. Fully 94 percent connect their laptops/mobiles to public Wi-Fi networks, and 69 percent of those handle work-related data while doing so.
Top activities performed on public Wi-Fi include surfing the Web (82 percent), checking work email (78.5 percent), using social media (70 percent), accessing work documents (60 percent), and online banking (45 percent).
Strikingly, 45 percent of employees receive no cyber security training at all from their employers.
“We can’t expect employees to act securely without providing them with the knowledge and resources to do so,” CompTIA president and CEO Todd Thibodeaux said in a statement. “Employees are the first line of defense, so it’s imperative that organizations make it a priority to train all employees on cyber security best practices.”
“Companies cannot treat cyber security training as a one-and-done activity,” CompTIA senior vice president for events and education Kelly Ricker added. “It needs to be an ongoing initiative that stretches to all employees across the organization.”
In the event of a breach, the survey found, 35 percent of respondents would change all of their device and account login credentials, while 20 percent would only change the login credentials for the affected device or account. One third of respondents said they would contact their corporate IT department or helpdesk, and four percent would contact the police.
Less than half of respondents use two-factor authentication, and 41 percent have never heard of it. Twenty-seven percent have heard the phrase, but don’t understand the concept.
In the social experiment, the USB sticks, which were left in high-traffic locations such as airports, coffee shops and public squares, held text files prompting those who accessed them to email a specific address or click on a trackable link.
Over a period of a few weeks, 17 percent of the drives were picked up by people who plugged them into their personal or work devices and either clicked on the link or sent the requested email.
“Notably, consumers’ technology literacy was not a determining factor for whether a USB stick was picked up or not,” the report notes. “At the San Francisco International Airport, for instance, a number of IT industry workers found and plugged in the sticks. In fact, a security office located within a multinational corporation’s office building also found a stick and emailed the alias address.”
The findings of the social experiment matched those of the survey — 22 percent of survey respondents said they would pick up a USB stick they found in public, and 84 percent of those respondents said they would plug the drive into one of their own devices.
“Over the last decade, cyber security evolved from a niche concept monitored primarily by governments and corporate IT managers into a mainstream issue commanding above-the-fold headlines and consumer attention,” the report states. “Despite this growing visibility, most employees still demonstrate a lower level of cyber security understanding and behavior, both in regards to protecting their devices and their personal information.”