Did you know that even your most loyal employees could be putting your company’s network and data at risk through their online activities? A major IT trade association recently found that there’s a severe lack of employee cybersecurity training in all industries — even the IT industry! This lack of cybersecurity awareness leads to risky behaviors, including the extremely ill-advised action of picking up a random flashdrive found in a public place and plugging it into a laptop!
Think we made that last one up? We didn’t! The IT Industry trade association CompTIA conducted the following experiment: 200 unbranded USB flash drives were left in public places like airports and coffee shops in Chicago, Cleveland, San Francisco and Washington D.C. The sticks were pre-programmed to report all activities to the researchers. 1 in 5 people who found these sticks plugged them into their computers or tablets, opened the file on the stick, and requested more information by clicking on a link in the text file or by emailing the address in the text file. They gave the researchers demographic information about themselves, which is how the study gathered their ages and professions.
The researchers were surprised to learn that computer literacy did not prevent the subjects from sticking a random flash drive into their machines. Not only did a number of IT industry workers use sticks they found at San Francisco National Airport, but in one case the subject worked for a corporate security office. The lesson: Just because you’ve lectured your employees about cybersecurity, it doesn’t mean they’ve developed good cybersecurity habits.
Delving further into this problem, CompTIA commissioned a cybersecurity awareness survey, and learned that 45% of full-time US workers do not receive any form of cybersecurity training at all.
So what can you do about this? Start by asking your managed IT provider if they provide cybersecurity education programs for their clients’ employees. Don’t settle for a laundry list of activities to avoid, because as we’ve learned from the CompTIA study, that kind of lecture does not change behavior. The training should include strategies for the safe use of every device, with specific instructions for separating accounts and passwords used for work and home. A successful training program will do more than raise awareness about cybersecurity threats; it will give your employees the instruction they need to implement safe choices.
Dateline: Monday, January 25, 2016
Author: CMIT Solutions of Gilbert and Mesa