Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Hey, There's a Flash Drive Just Lying on a Bench – Am I Lucky! Maybe Not

November 12, 2015

We are pretty much unattainable when it comes to security.

As Naked Security reported, here are the results of a recent study based on this premise:

"You're waiting for your train. You spot a flash drive on a bench.

Do you:

  1. Pick it up and stick it into a device?
  2. Leave no stone unturned to find the owner, opening text files stored on the drive, clicking on links, and/or sending messages to any email addresses you might find?
  3. Keep your hands off that thing and away from your devices, given that it could be infested with malware?"

That was the premise and unless you're an idiot, you pick option 3.

But in a recent CompTIA study, 17% of people chose options 1 and 2 – hey, free thumb drive! Wonder who lost it…? – and plugged them in. I think many people actually believe they are lucky to get a free thumb drive and of course, human curiosity is a powerful driver.

CompTIA salted Chicago, Cleveland, San Francisco and Washington, D.C. with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.

The nearly one out of five users who plugged in the drives proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.

Is it really that risky? Back in 2011, Sophos studied 50 USB keys bought at a major transit authority's Lost Property auction, finding that 66% were infected. To state the obvious, lost flash drives carry risk both to the finder and to employers. Somebody who picks up an infected drive can spread infection onto not only their own devices, but also onto their company's systems if they bring the device to work.

CompTIA also commissioned a survey of 1200 full-time workers across the US, finding that 45% say they don't receive any form of cybersecurity training at work.

Other cyberthreat findings from the study:

  • 94% regularly connect their laptop or mobile devices to public Wi-Fi networks. Of those, 69% handle work-related data while doing so.
  • 38% of employees have used their work passwords for personal use.
  • 36% use their work e-mail address for personal accounts.
  • 63% of employees use their work mobile device for personal activities.
  • 41% of employees don't know what two-factor authentication (2FA) is.
  • 37% of employees only change their work passwords annually or sporadically.

Age plays into risky behavior: the study found that 42% of Millennials have had a work device infected with a virus in the past two years, compared with 32% for all employees. What's more, 40% of Millennials are likely to pick up a USB stick found in public, compared with 22% of Gen X and 9% of Baby Boomers.

Some days, it feels pretty good to be a Boomer.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson