Endpoint

10/20/2015
12:45 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

State Of Employee Security Behavior

End users still lacking situational awareness of security risks, says CompTIA report.

The danger of clueless or uneducated workers continues to weigh heavily on security professionals, but sometimes it can be difficult to enumerate the problem to the powers that be when advocating for things like security awareness training or user monitoring. CompTIA took a stab at defining the problem with new research that its analysts outlined in a report released today. 

The findings aren’t going to surprise security vets very much, but they do provide some solid updated statistics to help round out those slide decks targeted at line-of-business colleagues and leadership.

Most notable in the report, CompTIA put to the test one prevalent idea of employee carelessness with technology. In connection with this study it did an experiment to test the on-going anecdotal evidence from penetration testers and consultants that people are likely to pick up and plug in random USB drives found in public.

The association dropped 200 unbranded USB sticks in high traffic public places and found that about 17 percent of them were picked up, plugged in, and responded to when a request popped up asking for the recipient to send an email to study organizers. It’s not a huge number, but it’s statistically significant and doesn’t include a likely number of people who did plug in the USB devices but didn’t send the email. More significantly, the study found that among 1,200 respondents surveyed for the report 40 percent of Gen Y respondents are likely to pick up a USB storage device found in public, compared to just 9 percent of Baby Boomers.

The survey also found that fewer than half of employees voluntarily use two-factor authentication when it is made available to them. In the same vein, while 49 percent of workers have at least 10 account logins to contend with in their life, only 34 percent have at least 10 unique username and password combinations. Even more scary, 36 percent use their work email address for personal accounts and 38 percent use work passwords for personal accounts. 

What’s more is in the event of a security incident like a virus or hack, only about one-third of users took the time to change all of the login credentials for their devices and accounts.

According to CompTIA, though visibility for cybersecurity issues is growing at a general level for most people today, employees are still demonstrating a pretty low level of security understanding and behavior.

“Part of this discrepancy may stem from an “IT shepherd” complex,” the report explains. “With anti-virus software, firewall protection and other IT protocols installed, employees may feel that anything they do online is safe, or that if something were to happen, the technology would protect them.”

As things stand, over 45 percent of employees still report that their employers do not engage in cybersecurity training.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AndyJonesXerox
100%
0%
AndyJonesXerox,
User Rank: Apprentice
10/21/2015 | 6:01:13 PM
Data Breaches - The Importance of Training
This is such an important topic these days. With the rise in data breaches, it's critical to ensure that employees are trained on any and all technology to prevent accidental breaches. The fact that 45% of employees are reporting a lack of training is a call for action.
– Andy Jones, Xerox, @AndyJonesXerox
Sagiss, LLC
100%
0%
Sagiss, LLC,
User Rank: Strategist
10/27/2015 | 1:39:22 PM
Re: Data Breaches - The Importance of Training
@AndyJonesXerox, I agree that employee education is of the utmost importance to every business these days, especially those that deal with confidential information that could lead to legal troubles if it were leaked due to employee negligence. It is definitely alarming that 45% of employees are reporting a lack of training, but it is also troubling that may companies view training as a one-time "set it and forget it" endeavor, leading to "trained" employees who lack sufficient security knowledge or underestimate the importance of their training. 
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.