AhnLab, the South Korean IT security vendor, has revealed that 78 per cent of IT security professionals have admitted to picking up and plugging in USB flash drives found abandoned or lying around. This goes against all the rules and warnings these professionals try to drum into their own colleagues inserting a "found" flash drive into a network lead to infecting files and networks, and ultimately, the loss of valuable data.
The study, which was conducted at last month's RSA Conference 2013 among 300 IT professionals -- many of whom were security experts --, found that data which was discovered on the "found" USB drives often included viruses, rootkits, bot executables, movies, music and other office documents.
The study also uncovered that more than 68 percent of those surveyed had been involved in a security breach, either at home, work or personally – with many relating back to the infected USB drives.
"I am utterly shocked at these figures, in particular, the 78 per cent number," said Brian Laing, VP of marketing and business development, AhnLab, Santa Clara. "For example, Stuxnet, one of the world's most sophisticated cyber-attacks, gained access to its target system through a 'found' USB drive. The creators of the malware left infected USB drives near a uranium enrichment facility and someone picked it up and inserted into their PC. Stuxnet derailed the efforts of that nation to purify nuclear materials at its facility."
According to Laing, IT security professionals are clearly ignoring basic rules and this must stop. An infected USB drive could result in infected machines, infected networks, and a PC or PCs in the network converted to a bot for use by cyber criminals. The result could include stolen intellectual property, such as sales forecasts, customer, and financial information. The list is endless.
"I urge IT security professionals to begin practicing what they preach," said Laing. "This 'it won't happen to me' attitude doesn't wash. It really does come down to the old mantra of combining people, process and technology – if you can get all three elements right, you are on track to a safe and secure environment. "
In additional to this, a recent study from Virginia based PhishMe found that over 60 percent of people will fall for a phishing attack if they have never been trained to know what to look out for. One in five people admitted to being tricked by a phishing email into clicking a link or opening an attachment. Training employees, globally, needs to be part of the solution.