Kingston Technology First to Market with 128GB USB Flash Drive
If you found a USB stick laying on a sidewalk in downtown Cleveland, would you pick it up and plug it into the computer at work? In a recent experiment, nearly a fifth of the people finding USB sticks in Cleveland, and some other U.S. cities, did just that. Their actions potentially risked cybersecurity in the workplace.
(Associated Press file photo)
CLEVELAND, Ohio -- They dropped the USB sticks around downtown, then waited to see who would take the bait.
Many did. However, those picking up the portable data storage devices weren't caught by an observer tucked away nearby. Their cyberspace observers were perhaps even hundreds of miles away noticing when those USB sticks were plugged into laptops and desktop computers -- usually at the office. Those who picked up and used these random USBs should have known their actions could have potentially introduced a virus into their company's IT network.
The Computing Technology Industry Association, or CompTia, conducted the experiment to show how easy cybersecurity could be comprised in the workplace. Between August and October, the trade association dropped 200 USB sticks in high traffic public spaces - including those in downtown business districts and at airports - here in Cleveland as well as in Chicago, San Francisco and Washington, D.C. Seventeen percent of the USB sticks that were dropped, eventually were plugged into computers or other devices.
"Virtually one in five people plugged in USB sticks, which could have been housing any kind of nefarious code, malicious code or program," said Todd Thibodeaux, CompTIA's president and CEO. "Sticking a USB device in your computer, when you don't know where it came from, is one of the worst things you could do. Once you put that into a device, it could start to do all kinds of things that you have no idea are happening."
There were more than viruses to be concerned about, Thibodeaux said. Now, with access to a company's network, a person of ill intention could send out company files with confidential data.
The USB stick experiment, whose drop locations included the Cleveland Convention Center, was done in conjunction with a CompTIA survey of 1,200 full-time workers throughout the United States, who use computers on the job. They were asked about regular technology use, cybersecurity awareness and security habits. The trade association recently released the survey findings and experiment results as a report "Cyber Secure: A Look at Employee Cypersecurity Habits in the Workplace."
The survey was based on workers' perceptions. Was there a way to measure their actions?
"If people had the opportunity to do the wrong thing, how often would they do it?" Thibodeaux said, adding that was how the idea of the experiment was born.
Once workers plugged in the USB sticks, a request for them to submit information popped-up on their computer screens. Most employees responded to these requests.
"Virtually everybody who plugged it in gave us information," Thibodeaux said. "They didn't even know who was requesting it. Not only were they plugging in, but they were taking actions to expose themselves (to cybersecurity risks)."
The experiment's results offered insight into the survey's findings that USB sticks tended not to be "handled with enough care" in the workplace. For example, 22 percent of respondents said they would hypothetically pick-up an USB stick they found in public. Of that group, 84 percent said they would plug the USB into one of their own devices.
His theory as to why people would engage in such risky behavior?
"Curiosity," Thibodeaux said.
The study also found:
- Fifty-eight percent of employees rely on USB-based storage drives to transfer files across devices.
- Thirty-five percent have borrowed another person's USB stick to copy or transfer a file.
- Millennials are the most likely of any generation in the workplace to pick up an USB storage device found in public. Forty percent of them would pick one up, contrasted with 22 percent of Gen-Xers and 9 percent of Baby Boomers.
The study's release was timed to coincide with the nonprofit organization's launch of CyberSecure, a cybersecurity training product, Thibodeaux said. For example, the study found that 45 percent of employees receive no cybersecurity training from their employers.
He said issues of cybersecurity have become more prevalent in recent years. There aren't only issues, such as those surrounding USB sticks, but new ones that have come with the widespread use of mobile devices.
"There has been a real sea change in the last five years of bringing your own device to work, and the willingness of corporations to open up their networks to non-corporate devices," he said. "In effect, I think that corporate America's cybersecurity has gotten a little more lax in the last few years by opening up these devices to their networks."
But Thibodeaux said companies are reluctant to scale back on the use of mobile devices. The increased use of laptops, tablets and other mobile devices have often been accompanied by productivity gains. For example, mobile devices have made it easier for employees to take work home or for managers to be in touch after traditional working hours.
The online survey, done by The Blackstone Group, was conducted Sept. 10-16. It has a margin of error of plus or minus three percent.
In addition to 45 percent of employees receiving no cybersecurity training, the survey's other key findings are:
- 63 percent of employees use their work mobile devices for personal activities.
- 94 percent of employees connect their laptop/mobile devices to public Wi-Fi networks
- 49 percent of employees have at least 10 logins, but only 34 percent have at least 10 unique logins.