Put That Thumb Drive Down! You Don't Know Where It Has Been

You walk outside and see a thumb drive on the ground. Do you:

1. Pick it up and plug it into your computer.  
2. Toss it into the trash.

The right answer isn’t A, but two experiments revealed that many people who found a portable storage device did exactly that: They inserted the thumb drive, also known as a flash drive or a USB stick, into their computer’s USB port.

In one case, a drive was connected within 6 minutes of being picked up.

The two experiments were conducted separately late last year by researchers at the University of Illinois, who dropped 297 flash drives throughout the school’s Urbana-Champaign campus, and by CompTIA, an IT industry association, which dropped 200 flash drives in four cities.

With the rise in cybercrime in 2016—including the rapid spread of malware and ransomware—experts say it is imperative that HR professionals make sure employees are trained in good computer security habits.

Picking up a random flash drive and plugging it in is not one of them.

However, “we can’t expect employees to act securely without providing them with the knowledge and resources to do so,” said Todd Thibodeaux, president and CEO of CompTIA, based in Downers Grove, Illinois.

“Employees are the first line of defense, so it’s imperative that organizations make it a priority to train all employees on cybersecurity best practices.”

Cybercrime Expected to Rise

A study by U.K.-based Juniper Research titled The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation 2015-2020 revealed that cybercrime will become a $2.1 trillion crisis worldwide by 2019.

In the University of Illinois study, researchers found that more than 45 percent of people picked up the drives and plugged them into their computers.

In the CompTIA experiment, which was done as part of a larger cybersecurity study, nearly 1 in 5 people who found the unbranded USB sticks scattered across public locations in Chicago, Cleveland, San Francisco and Washington, D.C., picked the drives up and plugged them into their computers.

“Users then proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed e-mail address,” CompTIA stated in a release.

“These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal,” Thibodeaux said.

That’s something Gabriel Acevedo learned firsthand.

“I did it once, and I’ll never do it again,” Acevedo told SHRM Online. Acevedo, who lives in Dumas, Texas, and works for a refinery, said he found a flash drive in “one of those sitting areas in the mall. So I thought I would take it home and be nosy and see what was on it.” He was hesitant at first, but his curiosity “finally got to me. I put it in and instead of finding interesting pictures or anything at all, I ended up getting a computer virus, which pretty much shut down my computer.” He had to buy a new computer as a result.

“Unfortunately … curiosity takes over because people are people,” Robin Alden, chief technical officer of Clifton, N.J.-based Comodo, a global cybersecurity innovator, told SHRM Online. “Many don’t even think twice about plugging thumb drives in because, well, that’s what they’re for. In an ideal world, employees would hand them in to their IT directors for secure destruction, but that’s never going to happen.”

In CompTIA’s study of 1,200 full-time U.S. workers, 45 percent said they have not received any form of cybersecurity training at work. Of those companies that did provide cybersecurity training, 15 percent relied on paper-based training manuals.

That survey, Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace, examined security habits, technology use and the level of cybersecurity awareness of workers.

Age factors into cybersecurity awareness, the survey found. Baby Boomers, members of Generation X and Millennials each present unique security challenges and risks to organizations, CompTIA reported. “Forty-two percent of Millennials have had a work device infected with a virus in the past two years, compared to 32 percent for all employees. Forty percent of Millennials are likely to pick up a USB stick found in public, compared to 22 percent of Gen X and nine percent of Baby Boomers,” according to the study.

“With the wave of new workers coming in, organizations need to take extra precautions and make sure they have effective training in place,” said Kelly Ricker, senior vice president of events and education at CompTIA. “Companies cannot treat cybersecurity training as a one-and-done activity. It needs to be an ongoing initiative that stretches to all employees across the organization.”

Steven Ostrowski, CompTIA’s director of corporate communications, told SHRM Online that an organization’s policy governing employee behavior is important, but “the best security technology products and the most comprehensive policies and processes won’t work without appropriate human action and intervention. The person using the PC, laptop, tablet or smartphone is the weakest link in an organization’s security defense”—especially as the workforce as a whole becomes more dependent on smart devices.

“The mobile workforce is a boon to business agility, customer engagement and employee productivity. But it’s also created a cybersecurity nightmare,” Ostrowski added.

“Every device that employees use to conduct business—smartphones and smartwatches, tablets and laptops—is a potential security vulnerability.”