State Of Employee Security Behavior

The danger of clueless or uneducated workers continues to weigh heavily on security professionals, but sometimes it can be difficult to enumerate the problem to the powers that be when advocating for things like security awareness training or user monitoring. CompTIA took a stab at defining the problem with new research that its analysts outlined in a report released today. 

The findings aren’t going to surprise security vets very much, but they do provide some solid updated statistics to help round out those slide decks targeted at line-of-business colleagues and leadership.

Most notable in the report, CompTIA put to the test one prevalent idea of employee carelessness with technology. In connection with this study it did an experiment to test the on-going anecdotal evidence from penetration testers and consultants that people are likely to pick up and plug in random USB drives found in public.

The association dropped 200 unbranded USB sticks in high traffic public places and found that about 17 percent of them were picked up, plugged in, and responded to when a request popped up asking for the recipient to send an email to study organizers. It’s not a huge number, but it’s statistically significant and doesn’t include a likely number of people who did plug in the USB devices but didn’t send the email. More significantly, the study found that among 1,200 respondents surveyed for the report 40 percent of Gen Y respondents are likely to pick up a USB storage device found in public, compared to just 9 percent of Baby Boomers.

The survey also found that fewer than half of employees voluntarily use two-factor authentication when it is made available to them. In the same vein, while 49 percent of workers have at least 10 account logins to contend with in their life, only 34 percent have at least 10 unique username and password combinations. Even more scary, 36 percent use their work email address for personal accounts and 38 percent use work passwords for personal accounts. 

What’s more is in the event of a security incident like a virus or hack, only about one-third of users took the time to change all of the login credentials for their devices and accounts.

According to CompTIA, though visibility for cybersecurity issues is growing at a general level for most people today, employees are still demonstrating a pretty low level of security understanding and behavior.

“Part of this discrepancy may stem from an “IT shepherd” complex,” the report explains. “With anti-virus software, firewall protection and other IT protocols installed, employees may feel that anything they do online is safe, or that if something were to happen, the technology would protect them.”

As things stand, over 45 percent of employees still report that their employers do not engage in cybersecurity training.