Endpoint

10/20/2015
12:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

State Of Employee Security Behavior

End users still lacking situational awareness of security risks, says CompTIA report.

The danger of clueless or uneducated workers continues to weigh heavily on security professionals, but sometimes it can be difficult to enumerate the problem to the powers that be when advocating for things like security awareness training or user monitoring. CompTIA took a stab at defining the problem with new research that its analysts outlined in a report released today. 

The findings aren’t going to surprise security vets very much, but they do provide some solid updated statistics to help round out those slide decks targeted at line-of-business colleagues and leadership.

Most notable in the report, CompTIA put to the test one prevalent idea of employee carelessness with technology. In connection with this study it did an experiment to test the on-going anecdotal evidence from penetration testers and consultants that people are likely to pick up and plug in random USB drives found in public.

The association dropped 200 unbranded USB sticks in high traffic public places and found that about 17 percent of them were picked up, plugged in, and responded to when a request popped up asking for the recipient to send an email to study organizers. It’s not a huge number, but it’s statistically significant and doesn’t include a likely number of people who did plug in the USB devices but didn’t send the email. More significantly, the study found that among 1,200 respondents surveyed for the report 40 percent of Gen Y respondents are likely to pick up a USB storage device found in public, compared to just 9 percent of Baby Boomers.

The survey also found that fewer than half of employees voluntarily use two-factor authentication when it is made available to them. In the same vein, while 49 percent of workers have at least 10 account logins to contend with in their life, only 34 percent have at least 10 unique username and password combinations. Even more scary, 36 percent use their work email address for personal accounts and 38 percent use work passwords for personal accounts. 

What’s more is in the event of a security incident like a virus or hack, only about one-third of users took the time to change all of the login credentials for their devices and accounts.

According to CompTIA, though visibility for cybersecurity issues is growing at a general level for most people today, employees are still demonstrating a pretty low level of security understanding and behavior.

“Part of this discrepancy may stem from an “IT shepherd” complex,” the report explains. “With anti-virus software, firewall protection and other IT protocols installed, employees may feel that anything they do online is safe, or that if something were to happen, the technology would protect them.”

As things stand, over 45 percent of employees still report that their employers do not engage in cybersecurity training.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AndyJonesXerox
100%
0%
AndyJonesXerox,
User Rank: Apprentice
10/21/2015 | 6:01:13 PM
Data Breaches - The Importance of Training
This is such an important topic these days. With the rise in data breaches, it's critical to ensure that employees are trained on any and all technology to prevent accidental breaches. The fact that 45% of employees are reporting a lack of training is a call for action.
– Andy Jones, Xerox, @AndyJonesXerox
Sagiss, LLC
100%
0%
Sagiss, LLC,
User Rank: Strategist
10/27/2015 | 1:39:22 PM
Re: Data Breaches - The Importance of Training
@AndyJonesXerox, I agree that employee education is of the utmost importance to every business these days, especially those that deal with confidential information that could lead to legal troubles if it were leaked due to employee negligence. It is definitely alarming that 45% of employees are reporting a lack of training, but it is also troubling that may companies view training as a one-time "set it and forget it" endeavor, leading to "trained" employees who lack sufficient security knowledge or underestimate the importance of their training. 
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.