This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Organizations should tell employees to never put an unknown USB drive into their computers
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
You walk outside and see a thumb drive on the ground. Do you:
The right answer isn’t A, but two experiments revealed that many people who found a portable storage device did exactly that: They inserted the thumb drive, also known as a flash drive or a USB stick, into their computer’s USB port.
In one case, a drive was connected within 6 minutes of being picked up.
The two experiments were conducted separately late last year by researchers at the University of Illinois, who dropped 297 flash drives throughout the school’s Urbana-Champaign campus, and by CompTIA, an IT industry association, which dropped 200 flash drives in four cities.
With the rise in cybercrime in 2016—including the rapid spread of malware and ransomware—experts say it is imperative that HR professionals make sure employees are trained in good computer security habits.
Picking up a random flash drive and plugging it in is not one of them.
However, “we can’t expect employees to act securely without providing them with the knowledge and resources to do so,” said Todd Thibodeaux, president and CEO of CompTIA, based in Downers Grove, Illinois.
“Employees are the first line of defense, so it’s imperative that organizations make it a priority to train all employees on cybersecurity best practices.”
Cybercrime Expected to Rise
A study by U.K.-based Juniper Research titled The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation 2015-2020 revealed that cybercrime will become a $2.1 trillion crisis worldwide by 2019.
In the University of Illinois study, researchers found that more than 45 percent of people picked up the drives and plugged them into their computers.
In the CompTIA experiment, which was done as part of a larger cybersecurity study, nearly 1 in 5 people who found the unbranded USB sticks scattered across public locations in Chicago, Cleveland, San Francisco and Washington, D.C., picked the drives up and plugged them into their computers.
“Users then proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed e-mail address,” CompTIA stated in a release.
“These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal,” Thibodeaux said.
That’s something Gabriel Acevedo learned firsthand.
“I did it once, and I’ll never do it again,” Acevedo told SHRM Online. Acevedo, who lives in Dumas, Texas, and works for a refinery, said he found a flash drive in “one of those sitting areas in the mall. So I thought I would take it home and be nosy and see what was on it.” He was hesitant at first, but his curiosity “finally got to me. I put it in and instead of finding interesting pictures or anything at all, I ended up getting a computer virus, which pretty much shut down my computer.” He had to buy a new computer as a result.
“Unfortunately … curiosity takes over because people are people,” Robin Alden, chief technical officer of Clifton, N.J.-based Comodo, a global cybersecurity innovator, told SHRM Online. “Many don’t even think twice about plugging thumb drives in because, well, that’s what they’re for. In an ideal world, employees would hand them in to their IT directors for secure destruction, but that’s never going to happen.”
In CompTIA’s study of 1,200 full-time U.S. workers, 45 percent said they have not received any form of cybersecurity training at work. Of those companies that did provide cybersecurity training, 15 percent relied on paper-based training manuals.
That survey, Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace, examined security habits, technology use and the level of cybersecurity awareness of workers.
Age factors into cybersecurity awareness, the survey found. Baby Boomers, members of Generation X and Millennials each present unique security challenges and risks to organizations, CompTIA reported. “Forty-two percent of Millennials have had a work device infected with a virus in the past two years, compared to 32 percent for all employees. Forty percent of Millennials are likely to pick up a USB stick found in public, compared to 22 percent of Gen X and nine percent of Baby Boomers,” according to the study.
“With the wave of new workers coming in, organizations need to take extra precautions and make sure they have effective training in place,” said Kelly Ricker, senior vice president of events and education at CompTIA. “Companies cannot treat cybersecurity training as a one-and-done activity. It needs to be an ongoing initiative that stretches to all employees across the organization.”
Steven Ostrowski, CompTIA’s director of corporate communications, told SHRM Online that an organization’s policy governing employee behavior is important, but “the best security technology products and the most comprehensive policies and processes won’t work without appropriate human action and intervention. The person using the PC, laptop, tablet or smartphone is the weakest link in an organization’s security defense”—especially as the workforce as a whole becomes more dependent on smart devices.
“The mobile workforce is a boon to business agility, customer engagement and employee productivity. But it’s also created a cybersecurity nightmare,” Ostrowski added.
“Every device that employees use to conduct business—smartphones and smartwatches, tablets and laptops—is a potential security vulnerability.”
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 10,000 companies