CompTIA: Cybersecurity Ignorance Can Be Deadly for Companies
Here’s a real Halloween horror story to keep you up at night: A new study from CompTIA found that even IT employees with the know-how to protect themselves against cyberattacks still exhibit the sloppy behaviors that often compromise sensitive corporate data.
Here’s a real Halloween horror story to keep you up at night: A new study from CompTIA found that even IT employees with the know-how to protect themselves against cyberattacks still exhibit the sloppy behaviors that often compromise sensitive corporate data.
According to CompTIA’s latest research paper, “Cyber Secure: The State of Employee Cybersecurity in 2015,” American employees exhibit some extremely poor habits when it comes to protecting both their personal information and their employer’s information, due in part to lack of training, awareness or understanding of the implications.
Out of the 1,200 full-time U.S. employees surveyed for the online study, 63 percent of employees admitted to using their work mobile devices for personal activities, while 94 percent said they connect their laptop and mobile devices to public Wi-Fi networks. Additionally, 49 percent of employees have at least 10 logins, but only 34 percent have at least 10 unique logins. Finally, 45 percent of respondents said they receive no cybersecurity training from their employers.
This year, CompTIA decided to infuse a real-world experiment into their study to determine consumer behavior and their ability to protect themselves from threats. From August to October, the company dropped 200 unmarked USB sticks in public locations around several major U.S. cities to see how many people would insert the drive into their devices. CompTIA programmed text files prompting the user to email a specific address or click through a traceable link to measure the number of people who found and used the sticks.
Of the 200 sticks anonymously dropped, 17 percent were picked up and were used to access the text files to either access the link or email the listed address, according to CompTIA. Surprisingly, several of the emails asked whether the stick contained a virus, showing users were willing to jeopardize their devices even after understanding the potential risk. While the devices themselves were harmless, the experiment proves widespread changes must be made if the general public is to understand the importance of cybersecurity.
“We can’t expect employees to act securely without providing them with the knowledge and resources to do so,” said Todd Thibodeaux, president and CEO, CompTIA, in a statement. “Employees are the first line of defense, so it’s imperative that organizations make it a priority to train all employees on cybersecurity best practices.”
In general, CompTIA found millennial employees posed the largest threat to corporate security, with 40 percent of millennials responding that they would pick up a USB stick found in public, compared to 20 percent of Gen X employees and 9 percent of Baby Boomers. Millennials are also the most likely to have had a work device infected with a virus in the past two years and are more likely to use USB storage, despite a superior knowledge of security and technology as a whole.
“With the wave of new workers coming in, organizations need to take extra precaution and make sure they have effective training in place,” said Kelly Ricker, senior vice president of Events and Education at CompTIA. “Companies cannot treat cybersecurity training as a one-and-done activity. It needs to be an ongoing initiative that stretches to all employees across the organization.”
The study highlights the ongoing importance of corporate cybersecurity training and the need to instill both security knowledge and good security habits in employees. Most companies utilize a mixture of online training and in-person group workshops to educate employees, but 15 percent of respondents said they continue to receive paper-based training manuals for security education.
CompTIA has a number of courses and certifications on cybersecurity for members, but there are plenty of other ways to help employees understand the need for strong security measures. While online modules and in-person workshops are the most prevalent means of education, companies that wish to truly protect their information should institute a customized cybersecurity training program to fit the needs of their employees.
