USB sticks – easy to plug in, easy to lose, and easy to load with viruses or malicious code. They are not regarded as a safe or reliable way to share sensitive information in enterprise as their convenience is very much trumped by the risks they pose.
So if you saw a random USB stick lying in the street, would you pick it up and plug it into your computer? IT trade association CompTIA wanted to find out exactly that, so they commissioned a social experiment dropping 200 USB sticks in heavily trafficked public spaces in four major US cities to see what would happen.
Surprisingly, one in five people who found the USB sticks proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer, by plugging the drive into their device. Some even opened text files on the devices, clicked on unfamiliar web links or sent messages to a listed email address.
With the cybersecurity threat landscape facing companies increasingly complex, employees who practice unsafe cybersecurity habits put both themselves and their employer at risk, and this kind of risky behaviour is an IT department's worst nightmare.
In addition to the 'Mr. Robot-esk' experiment, CompTIA also surveyed 1,200 full-time U.S. employees on their technology use and cybersecurity habits. They found that 94% connect their laptop or mobile devices to public Wi-Fi hotspots, 69% of them handling work-related data over these networks.
You would think in today's security-heightened world, employees would be more aware of the dangers of exposing their corporations to obvious dangers such as random USB sticks found on the street or untrusted public Wi-Fi.
But as Todd Thibodeaux, CompTIA president and CEO explains, many are just not getting educated on the right behaviours.
'We can’t expect employees to act securely without providing them with the knowledge and resources to do so,' said Thibodeaux. 'Employees are the first line of defense, so it's imperative that organisations make it a priority to train all employees on cybersecurity best practices.'
According to the research, 45% of employees say they don't receive any form of cybersecurity training at work. Among companies that do administer cybersecurity training, 15% still rely on paper-based training manuals.
Age also seems to be a factor in cybersecurity awareness, with baby boomers, gen X and millennials each present unique security challenges and risks to organisations.
42% of Millennials have had a work device infected with a virus in the past two years, compared to 32% for all employees. 40% of Millennials are likely to pick up a USB stick found in public, compared to 22% of gen X and 9% of baby boomers.
'With the wave of new workers coming in, organisations need to take extra precaution and make sure they have effective training in place,' said Kelly Ricker, senior vice president, events and education.
'Companies cannot treat cybersecurity training as a one and done activity. It needs to be an ongoing initiative that stretches to all employees across the organisation.'