Tech

Find a flash drive, pick it up: Study highlights poor city security habits

When hundreds of USB sticks are abandoned around town, you'd be surprised at what people decide to do with them.

Written by Charlie Osborne, Contributing Writer Oct. 28, 2015 at 4:14 a.m. PT

Nearly one in five people would give in to curiosity and plug abandoned USB drives into their systems, placing their personal security at risk.

Research conducted by technology certificate provider CompTIA tracking the everyday security practices of people found that the basics of protecting privacy and data are sadly lacking. In a social experiment, the team dumped 200 USB flash storage drives around high-traffic, public locations in Chicago, Cleveland, San Francisco and Washington, D.C. to see if anyone would pick them up.

In total, 17 percent -- nearly one in five people -- plugged them into their devices. After connecting the abandoned flash drives, people engaged in "risky behaviors" including opening text files, clicking on suspicious links and sending messages to listed email addresses without much thought in what surprises the USB drive could harbor.

"These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal," Todd Thibodeaux, president and CEO of CompTIA said.

Featured

With the cybersecurity threat landscape facing companies increasingly complex, employees engage in unsafe cybersecurity habits put both themselves and their employer at risk.

The rise of bring-your-own-device (BYOD) policies may give companies the chance to move investment into work devices from the accounts department to the employee, but when corporate data is handled on these devices, the business' security is being placed into the hands of staff -- who may or may not be savvy when it comes to security.

Out of the individuals who decided picking up a random flash drive and plugging it in was acceptable, it only takes one -- and a USB loaded with malware -- to infect a device and potentially be granted an entry point into any other services the user is connecting to -- such as corporate applications.

Interestingly, the millennial generation which has grown up with technology was recorded as more likely to pick up a USB stick found in public compared to Gen X and Baby Boomers.

In addition to the USB study, CompTIA commissioned a survey of 1,200 workers across the United States to ascertain how much investment businesses are putting into cybersecurity education. The survey revealed that 45 percent of employees said they did not receive any firm of security training at work, and out of those that do, 15 percent rely on paper-based manuals.

In total, 63 percent of employees use their work devices for personal pursuits, 41 percent did not know what two-factor authentication is -- the use of codes or separate devices to better protect an account -- and 37 percent of employees rarely change their work passwords.

Considering that people are still not putting basic security principles into practice, coupled with a lack of cybersecurity-based training, businesses are also being placed at risk. It isn't possible to avoid every risk and digital threat targeting a company these days, but investing in basic security training can help mitigate these problems.

Lesson one: do not connect flash drives to your system unless you know exactly where it has been and what is on the USB.

"We can't expect employees to act securely without providing them with the knowledge and resources to do so," said Thibodeaux. "Employees are the first line of defense, so it's imperative that organizations make it a priority to train all employees on cybersecurity best practices."