Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/20/2015
12:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

State Of Employee Security Behavior

End users still lacking situational awareness of security risks, says CompTIA report.

The danger of clueless or uneducated workers continues to weigh heavily on security professionals, but sometimes it can be difficult to enumerate the problem to the powers that be when advocating for things like security awareness training or user monitoring. CompTIA took a stab at defining the problem with new research that its analysts outlined in a report released today. 

The findings aren’t going to surprise security vets very much, but they do provide some solid updated statistics to help round out those slide decks targeted at line-of-business colleagues and leadership.

Most notable in the report, CompTIA put to the test one prevalent idea of employee carelessness with technology. In connection with this study it did an experiment to test the on-going anecdotal evidence from penetration testers and consultants that people are likely to pick up and plug in random USB drives found in public.

The association dropped 200 unbranded USB sticks in high traffic public places and found that about 17 percent of them were picked up, plugged in, and responded to when a request popped up asking for the recipient to send an email to study organizers. It’s not a huge number, but it’s statistically significant and doesn’t include a likely number of people who did plug in the USB devices but didn’t send the email. More significantly, the study found that among 1,200 respondents surveyed for the report 40 percent of Gen Y respondents are likely to pick up a USB storage device found in public, compared to just 9 percent of Baby Boomers.

The survey also found that fewer than half of employees voluntarily use two-factor authentication when it is made available to them. In the same vein, while 49 percent of workers have at least 10 account logins to contend with in their life, only 34 percent have at least 10 unique username and password combinations. Even more scary, 36 percent use their work email address for personal accounts and 38 percent use work passwords for personal accounts. 

What’s more is in the event of a security incident like a virus or hack, only about one-third of users took the time to change all of the login credentials for their devices and accounts.

According to CompTIA, though visibility for cybersecurity issues is growing at a general level for most people today, employees are still demonstrating a pretty low level of security understanding and behavior.

“Part of this discrepancy may stem from an “IT shepherd” complex,” the report explains. “With anti-virus software, firewall protection and other IT protocols installed, employees may feel that anything they do online is safe, or that if something were to happen, the technology would protect them.”

As things stand, over 45 percent of employees still report that their employers do not engage in cybersecurity training.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AndyJonesXerox
100%
0%
AndyJonesXerox,
User Rank: Apprentice
10/21/2015 | 6:01:13 PM
Data Breaches - The Importance of Training
This is such an important topic these days. With the rise in data breaches, it's critical to ensure that employees are trained on any and all technology to prevent accidental breaches. The fact that 45% of employees are reporting a lack of training is a call for action.
– Andy Jones, Xerox, @AndyJonesXerox
Sagiss, LLC
100%
0%
Sagiss, LLC,
User Rank: Strategist
10/27/2015 | 1:39:22 PM
Re: Data Breaches - The Importance of Training
@AndyJonesXerox, I agree that employee education is of the utmost importance to every business these days, especially those that deal with confidential information that could lead to legal troubles if it were leaked due to employee negligence. It is definitely alarming that 45% of employees are reporting a lack of training, but it is also troubling that may companies view training as a one-time "set it and forget it" endeavor, leading to "trained" employees who lack sufficient security knowledge or underestimate the importance of their training. 
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
CVE-2021-32554
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.