- The Washington Times - Wednesday, October 28, 2015

Cyberlegislation passed in the Senate this week is supposed to protect the nation’s computer networks from highly skilled hackers, but researchers say subpar security practices exhibited by an alarming number of Americans could be the cause of the next major breach.

Nearly half of the respondents polled in a recent survey said they haven’t been offered cybersecurity training of any sort by their employer, and the results of a separate study also out this week suggest corporations incur an average of $45,000 in damages each time a company computer becomes compromised.

“The best security technology products and the most comprehensive policies and processes won’t work without appropriate human action,” Todd Thibodeaux, president and CEO of CompTIA, told The Washington Times. On Wednesday his IT firm released a report on cybersecurity habits in the workplace, the contents of which reveal that a significant percentage of employees practice subpar security hygiene, including poor password management and a carefree attitude with regards to what they put in their machines.

Earlier this year CompTIA took 200 unbranded USB sticks and placed them in high-traffic public spaces in major U.S. cities on either coast. Contained on each stray stick was a text file which, if loaded on a computer, would instruct the device’s new owner to either visit a specific web page or send an email to a certain address. Yet while inserting random media is rarely, if ever, a wise idea on its own, CompTIA’s research revealed that 17 percent of consumers picked up and plugged the found USB sticks, opened the file and either clicked the link or emailed the address — two other major no-no’s with respect to cybersecurity.

“Notably, consumers’ technology literacy was not a determining factor for whether a USB stick was picked up or not,” the report stated. “At the San Francisco International Airport, for instance, a number of IT industry workers found and plugged in the sticks. In fact, a security office located within a multinational corporation’s office building also found a stick and emailed the alias address.”

Previous security research has suggested that a single USB stick can be programed to surreptitiously suck the data off infected machines, spread malware and, in the case of Stuxnet, perpetuate a nation state-crafted cyberattack capable of disrupting a country’s entire nuclear program.

CompTIA also surveyed 1,200 Americans who use computers for work on a regular basis, and 22 percent of that sample said they would hypothetically pick up a USB stick found in the wild; 84 percent of that group said they’d insert the drive in their own device.

“The results are a reaffirmation of what we’ve seen for some time,” Mr. Thibodeaux told The Times. “We know that the person using the PC, laptop, tablet or smartphone is the weakest link in an organization’s security perimeter. In some cases carelessness is at the root of bad habits. In other cases it’s expediency. Users know what they’re doing may be unsecure, but in the interest of getting something done, they go ahead anyway. But for many others, it comes down to not knowing or understanding the risk they are putting themselves and their employer at.”

Indeed, researchers at iScan Online said in a report of their own this week that the cost of a compromised work computer can set a company back more than just the price of a replacement. By analyzing data collected from over 700,000 customer devices, iScan determined that the average liability of a server equates to $301,098, with the average liability of a desktop computer clocking in at $48,843.

But while not every company-owned computer may contain sensitive information — or even be vulnerable to attack — iScan’s research concluded that a company of 250 employees would on average have “just seven employee computers that, if breached, would likely cost the company over $2 million.” According to CompTIA’s research, 94 percent of employees connect their computers to public Wi-Fi networks, and 45 percent of workers receive no cybersecurity training in the workplace — two more findings that should alarm anyone whose corporation is tasked with keeping important data safe from hackers. Per iScan’s report, 87 percent of the computers they analyzed contained unprotected credit card data.

“Employees take a safer approach to refreshing their work passwords than personal logins, but plenty of IT departments would still be troubled to know that 37 percent do so only annually or sporadically,” the CompTIA report warns.

Elsewhere, the researchers note that 6 percent of employees surveyed said they would share their Social Security number for a social media or e-commerce site.

“Spreading cybersecurity awareness, knowledge and training throughout the entire organization, from the receptionist at the front desk to the IT worker in the back office to the CEO in the corner office, is essential. Otherwise, the company risks becoming the next cybersecurity headline,” said Mr. Thibodeaux.

“We also know that a significant number of organizations — small and large, public and private sector — are lacking when it comes to training their employees on the best security practices.”

The CompTIA and iScan Online reports were both released on Wednesday this week, one day after the Senate voted 74-21 to pass the Cybersecurity Information and Sharing Act, or CISA. That bill is expected to soon be ironed out in a conference with lawmakers in the House signed by President Obama, at which point private sector companies can begin voluntarily sharing information concerning cyberattacks with the federal government. Silicon Valley has largely objected to the bill, however, with companies including Apple and Twitter having questioned whether arrangements through CISA will offer extra protection to American’s data or risk being abused by the agencies that will receive it.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide