If your employees found a USB stick on the ground while out during their lunch break, would they plug it into their work computer? Almost certainly, at least some of them would. It seems like a fairly innocuous thing to do, after all. But a simple act like that could be the start of an epic breach of your company's data.
If this scene sounds familiar, then you might have seen the episode of the hit TV show Mr. Robot where a hacker drops USB drives infected with malware near a prison so a guard will initiate an attack by picking one up and plugging it into a prison computer.
In a recent social experiment that recreated this scenario, nearly one in five people who found a random USB stick found in a public setting plugged it into their work computer, exposing the company to cybersecurity risks. Commissioned by IT industry association CompTIA, the experiment involved researchers dropping 200 USB sticks in "heavily trafficked public spaces" in Chicago, Cleveland, San Francisco, and Washington, D.C.
The results were just one element of CompTIA's white paper, Cyber Secure: a Look at Employee Cybersecurity Habits in the Workplace, which paints a scary picture for network security. See below to find out what other actions are potentially exposing your company to a cyberattack.
1. Use of public Wi-Fi
CompTIA's survey of 1,200 full-time U.S. workers found 94 percent "regularly connect their laptop or mobile devices to public Wi-Fi networks," with 69 percent of those handling work-related data while on a public connection. Surfing public Wi-Fi also seems innocent, but cybercriminals hang out on public signals to try to steal data and gain access to unsecured devices.
2. Blending personal and business accounts
About 38 percent of employees said they reuse work passwords for personal accounts. Another 36 percent use their work email address for personal use, and 63 percent use their company mobile device for personal activities. The blurring of accounts and security protocols increases the risk of breaches, because many employees use weak passwords.
3. Lack of security training
Almost half of employees surveyed said they receive no cybersecurity training from their employers. Even basic security tools like two-factor authentication, are not being used. And while it might not sound like a lot, 37 percent of employees only change their work passwords annually or sporadically. All a hacker needs is one small entry point--an employee's account with a simple password that is rarely changed.
"These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal," Todd Thibodeaux, president and CEO of CompTIA, said in a statement.