Here's what happens when you drop 200 USB sticks in public

It would be logical to assume that people know the risks around cybersecurity. A recent experiment challenges that assumption.

female executive keyhole security
Thinkstock

I have many friends involved in IT security and they always tend to be the butt of my jokes. I'm a pretty relaxed guy and my security friends all strike me as eternal pessimists and conspiracy theorists who believe that at every turn there is someone out to mess with their data. I've always figured that the vast majority of my data is pretty boring so, outside of bank or identity fraud, there is little real harm that could come of any threat, low as it is.

The reality is different, however, for large corporations. Their data is often their most precious IP and they go to great lengths to protect it from prying eyes; a recent experiment and corresponding survey by IT industry association CompTIA shows just how much of a challenge IT security folks have.

CompTIA commissioned a social experiment whereby they dropped 200 USB sticks in heavily trafficked public spaces across four major cities -- Chicago, Cleveland, San Francisco and Washington, D.C. In roughly one out of every five instances, the flash drives were picked up and plugged into a device. Users then proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links, or sending messages to a listed email address.

I'd have thought that most people would have realized that USB keys are an awesome vector of attack and that, like used tissues and toothbrushes, it's best to steer clear of them. But it would seem not.

Alongside this experiment, the association also surveyed 1,200 full-time U.S. employees on their technology use and cybersecurity habits. Some insightful, and scary, findings of note:

  • 27 percent of millennials have had their personal identifiable information hacked within the past two years compared to 19 percent of all employees
  • 94 percent of employees connect their laptop or mobile devices to public Wi-Fi networks, and of those, 69 percent handle work-related data while doing so
  • 37 percent of employees only change their work passwords annually or sporadically
  • 63 percent of employees use their work mobile device for personal activities
  • 41 percent of employees do not know what two-factor authentication is

The reality would seem to be that employees have little or no awareness of the issues related to security, perhaps not surprising given that the survey found that 45 percent of employees receive no cybersecurity training from their employers, despite 52 percent of security breaches resulting from human error. Perhaps the time has come to invest a little less in being the cybersecurity ambulance at the bottom of the cliff, and a little more on training to reduce the risk and effectiveness of attacks?

"We can't expect employees to act securely without providing them with the knowledge and resources to do so," said Todd Thibodeaux, president and CEO of CompTIA. "Employees are the first line of defense, so it's imperative that organizations make it a priority to train all employees on cyber security best practices."

Maybe my security friends are justified in having a little bit of paranoia. I might just have to stop making all those jokes about them...

Ben Kepes covers how technology helps business compete.

Copyright © 2016 IDG Communications, Inc.