Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Security Is As Security Does

By - Source: Toms IT Pro

When CompTIA scattered 200 unbranded flash drives around high-traffic public locations in Chicago, Cleveland, San Francisco and Washington DC, passers-by picked up and inserted those drives into a device of some kind about one time out of five.

Based on observation of their subsequent behavior — opening files, clicking on Web links, and sending messages to an email address included in those drives’ contents — those people showed themselves uncommonly disposed to put themselves at risk.

Given that viruses can be – and in the case of Stuxnet, among other forms of malware, have been — spread through insertion of infected USB drives, this behavior shows either a fundamental disregard of the risks involved, or a woeful level of security awareness (namely, that such risks exist and could potentially strike the users themselves or their employers, should they “try the drive out” on a company device, or while at work). The results of CompTIA’s commissioned survey are reported in October 26, 2015, press release entitled “Find a flash drive, pick it up: experiment shows how lack of cybersecurity knowledge can impact organizations.” In commenting on the results of this survey, CompTIA President and CEO Todd Thibodeaux remarked that “Employees are the first line of defense so it’s imperative to make it a priority to train all employees on cybersecurity best practices.” No kidding!

Other results from this same survey are also worthy of chewing over, and potentially worrying about, and include the following items, some of them eye-popping:

  • 94% of employees regularly connect their laptop or mobile devices to public Wi-Fi networks, and of those employees, 69% handle work-related data using such connections. [Best practice: never use a public network of any kind, except if protected by a secure, encrypted Virtual Private Network. Even so, some organizations forbid all such network access uncategorically.]
  • Employees often repurpose passwords: 36% of survey respondents admitted to repurposing work passwords for private or personal uses. [Best practice: always keep work and personal or private credentials separate and distinct, always apply strong password principles, preferably in the context of multi-factor authentication.]
  • 63% of employees use their work mobile device for personal stuff. [Best practice: Keep work and personal life separate and disjoint: use work devices only for work stuff, and personal devices only for personal stuff.]
  • Millennials appear to be more prone to lax security than either Baby Boomers or GenX. Millennials showed themselves to be hacked more often (27% had PII hacked or stolen within the past 24 months, as compared to 19% of other employees; 42% of millennials had a work device infected with malware in the past 24 months, versus 32% for all employees; 40% of millennials were likely to pick up a USB stick in public, compared to 22% for GenX and 9% for Baby Boomers).
  • Nearly half  (41%) of all employees don’t know what two-factor authentication is, or how to use it. [Best practice: two-factor authentication usually combines something you have (e.g. a security token, a cell phone, biometric data) with something you know (account and password information) to provide strong proofs of identity and strong access controls.]
  • Just over one-third (37%) of employees change their work passwords annually or sporadically, rather than at regular intervals. [Best practice: the organization establishes and enforces regular password changes, and keeps track of up to ten recent passwords to prevent their rapid recycling and reuse.]

These results underscore the need for what is often called cybersecurity awareness training, which conveys best practices in cybersecurity, and often follows up with overt or covert testing to make sure employees understand what they’re learning in such training. Companies such as combine instructor-led or self-paced online training with overt and covert testing, and remediation for employees who fail such testing, to make sure that companies can cultivate the right kinds and levels of security awareness and adherence to best practices in order to keep employees (and their employers) safe from scams, infections, attacks, or outright compromise or takeover of information assets and systems.

CompTIA is right to share this potentially scary news with its member organizations and the general public. Responsible, savvy organizations will take things one step further and make sure they provide their employees with training, including in-depth coverage during the onboarding process for new hires, contractors and partners, along with ongoing retraining for all current employees, contractors and partners at regular intervals.

Ed Tittel is a Contributing Editor for Tom's IT Pro, covering Certifications. Follow him on Google+.

Follow Tom's IT Pro on Twitter, Facebook, LinkedIn and Google+.