Cyber security: Curiosity can kill more than the cat
April 27, 2016
Article courtesy of SBAM Approved Partner ASE
Author: Nicole Sitter
Most adults know that washing your hands reduces the risk of spreading germs, and cleaning and bandaging a wound prevents infection. But do you know what can happen when you pick up electronic germs?
In 2015, two separate groups of researchers ran experiments to test people’s curiosity and their knowledge of cyber security. One group randomly placed 297 flash drives around the campus of the University of Illinois. Another group from CompTIA, an IT association, placed 200 flash drives around four cities. The flash drives contained harmless files such as fake resumes, photos and contact information for the researchers. They contained no dangerous viruses and/or various kinds of malware; but for all anyone knew, they might have.
The locations of the flash drives were electronically tracked, as was the activity on the flash drives. The University experiment concluded that 290 of the 297 (98%) flash drives were picked up and moved from their starting location, and 135 of them (45%) were plugged into a computer and at least one file was opened. The researchers counted those as “successful” “cyber attacks.” In the CompTIA experiment, 20% were classified as such.
Subsequently the research teams informed the clueless participants of the experiment. Most participants stated they were attempting to find the owner of the flash drive. But nearly half of the participants opened a photo file before they opened a resume. In other words, participants were more curious to see what the owner had on the flash drive than they were to find out who owned the flash drive. Their curiosity and (presumably) their basic decency led them to incredibly risky behavior, not only to themselves but in many cases to the organizations they were associated with as well.
Some participants emailed a contact they found on the flash drives, opened files, ran programs and clicked on internet links. Each one of these events mimicked a very real cyber-attack, and alarmingly, not all of the activity took place on their own computers. When plugged into a work computer, a cyber-attack is magnified several times over. Cyber criminals can and will see everything conducted on the computer, meaning they will have access to all files, contacts, applicant tracking systems, social security numbers, credit card numbers, addresses, criminal reports just to name a few!
Sadly, cyber security is not just limited to flash or thumb drives. Cyber criminals hand out free music CDs on street corners that contain ransomware or malware, they write codes that log into millions of email accounts, they send spam emails with invisible attachments that gain access to computers etc. This is in addition to corporate espionage or phishing expeditions. Some trusting employees even receive phone calls from a “new employee in the IT department” that needs them to reset or verify their password!
Cybercrime is expected to create a $2.1 trillion crisis worldwide by 2019, according to the U.K.-based Juniper study, and it preys on human curiosity and decency. However, there are steps that HR professionals should take to defend against them, starting with training employees on Cyber Security and or Data Security protocols.
The organization’s employee handbooks should outline clear and concise rules when it comes to cyber security threats, including outside storage devices (thumb/flash drives, cd’s), suspicious emails and phone calls etc. These rules can be tailored to a particular business, but should include these points:
- Never attach an outside storage device to a work computer or personal computer that accesses work networks. Either leave them where you found them, or supply them to your IT department. They can safely find an owner on an unconnected device or properly dispose of it.
- Change passwords often, and do not use birthdays, anniversaries, children names etc. Try using a motivational statement with letters and characters like E@tWe11!
- Do not write passwords down. If you must, keep them in a location separate from the device.
- Never supply your password to anyone, even a coworker. On occasion your IT department may need your password, but you should only give it for a computer issue you initiated to them.
- Never open, reply or forward emails from unknown parties or that look suspicions. Instead, call your IT department to have them investigate.
- Lock your computer, phone, tablet, and other electronic devices when they are not in use.
All new employees should receive this information, and the entire company should participate in a refresher course on an annual basis. There is no such thing as being too careful when it comes to cybersecurity. A company’s information is only as secure as the one person who acts without thinking.