Endpoint

10/20/2015
12:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

State Of Employee Security Behavior

End users still lacking situational awareness of security risks, says CompTIA report.

The danger of clueless or uneducated workers continues to weigh heavily on security professionals, but sometimes it can be difficult to enumerate the problem to the powers that be when advocating for things like security awareness training or user monitoring. CompTIA took a stab at defining the problem with new research that its analysts outlined in a report released today. 

The findings aren’t going to surprise security vets very much, but they do provide some solid updated statistics to help round out those slide decks targeted at line-of-business colleagues and leadership.

Most notable in the report, CompTIA put to the test one prevalent idea of employee carelessness with technology. In connection with this study it did an experiment to test the on-going anecdotal evidence from penetration testers and consultants that people are likely to pick up and plug in random USB drives found in public.

The association dropped 200 unbranded USB sticks in high traffic public places and found that about 17 percent of them were picked up, plugged in, and responded to when a request popped up asking for the recipient to send an email to study organizers. It’s not a huge number, but it’s statistically significant and doesn’t include a likely number of people who did plug in the USB devices but didn’t send the email. More significantly, the study found that among 1,200 respondents surveyed for the report 40 percent of Gen Y respondents are likely to pick up a USB storage device found in public, compared to just 9 percent of Baby Boomers.

The survey also found that fewer than half of employees voluntarily use two-factor authentication when it is made available to them. In the same vein, while 49 percent of workers have at least 10 account logins to contend with in their life, only 34 percent have at least 10 unique username and password combinations. Even more scary, 36 percent use their work email address for personal accounts and 38 percent use work passwords for personal accounts. 

What’s more is in the event of a security incident like a virus or hack, only about one-third of users took the time to change all of the login credentials for their devices and accounts.

According to CompTIA, though visibility for cybersecurity issues is growing at a general level for most people today, employees are still demonstrating a pretty low level of security understanding and behavior.

“Part of this discrepancy may stem from an “IT shepherd” complex,” the report explains. “With anti-virus software, firewall protection and other IT protocols installed, employees may feel that anything they do online is safe, or that if something were to happen, the technology would protect them.”

As things stand, over 45 percent of employees still report that their employers do not engage in cybersecurity training.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
100%
0%
Sagiss, LLC,
User Rank: Strategist
10/27/2015 | 1:39:22 PM
Re: Data Breaches - The Importance of Training
@AndyJonesXerox, I agree that employee education is of the utmost importance to every business these days, especially those that deal with confidential information that could lead to legal troubles if it were leaked due to employee negligence. It is definitely alarming that 45% of employees are reporting a lack of training, but it is also troubling that may companies view training as a one-time "set it and forget it" endeavor, leading to "trained" employees who lack sufficient security knowledge or underestimate the importance of their training. 
AndyJonesXerox
100%
0%
AndyJonesXerox,
User Rank: Apprentice
10/21/2015 | 6:01:13 PM
Data Breaches - The Importance of Training
This is such an important topic these days. With the rise in data breaches, it's critical to ensure that employees are trained on any and all technology to prevent accidental breaches. The fact that 45% of employees are reporting a lack of training is a call for action.
– Andy Jones, Xerox, @AndyJonesXerox
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.
CVE-2019-1681
PUBLISHED: 2019-02-21
A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-sup...