by Marc Wilczek

Why are USB sticks wrinkle-free?

Opinion
Aug 14, 2017
CareersCybercrimeData Breach

Roughly half of lost USB sticks and other mobile gadgets get returned to owners, which triggers the million-dollar question: What happens to the other half?

03 crimeware
Credit: Thinkstock

Having wrinkles in a USB stick is certainly not great. But here’s some good news: Dry cleaners are taking care of it and remove them from your clothes before processing your laundry. To strike a more serious note, a study conducted by internet security firm ESET in the United Kingdom has revealed that 22,266 USB sticks and 973 cell phones are among the various gold nuggets found by dry cleaners in dirty laundry each year. However, a staggering 45 percent of the devices never make it back to their owners.

These numbers are alarming but only the tip of the iceberg. The phenomenon as such is a common and global issue, far beyond the borders of the UK – and beyond dry cleaning. These gadgets are fun to have, cheap, incredibly convenient, small in size, highly mobile by nature, and enormously capable in terms of their memory capacity. Yet the common assumption that most of these devices are protected these days is a misbelief. While some of them might end up in the garbage can, others are creating headlines in the press, causing public embarrassments and all too often severe financial and reputation damages.

A big risk for both owner and finder

In a 2013 report, Ernst & Young concluded that millions of cell phones and smartphones are lost or stolen every year. Over their lifespan, some 22 percent of the total number of mobile gadgets produced will disappear, and over 50 percent of these will never be retrieved. With many of these devices carrying sensitive information, these numbers are of great concern.

In the digital age, data is of high value, and chances are that some of these devices will be ending up in the wrong hands. While some cybercriminals are trying to market datasets in the Darknet, others are purchasing these datasets to exploit their victims in targeted campaigns.

Obviously, lost USB drives and other smart devices carry substantial risks to both the owner and the finder. Somebody who picks up a rigged drive can not only infect their own devices, but also spread malicious contents across their organization when using them at the workplace. Themes such as bring your own device (BYOD) even explicitly encourage people to do exactly that.

Half of people plug in USB sticks they find in a parking lot

Researchers from University of Illinois decided to test what they call the “anecdotal belief,” which suggests that people pick up USB sticks and plug them in, so they dropped 297 of them across the school’s Urbana-Champaign campus in a field trial. The success rate in their study was between 45 and 98 percent. If there had been malware on these devices, they would have succeeded in rapidly launching a cyber-attack with the first devices communicating back home to the researchers within less than 6 minutes after they were dropped. However, while users initially connected the drive with altruistic intentions, nearly half went on and opened intriguing files – such as vacation photo – before trying to locate the drive’s owner.

A mere 16 percent of users bothered to scan the USB sticks with antivirus software before accessing the content. A mind-blowing 68 percent of the respondents took no precautions whatsoever before plugging in the drives.

In another experiment conducted on behalf of the Computing Technology Industry Association (CompTIA), some 200 unbranded USB sticks were placed across multiple public locations in Chicago, Cleveland, San Francisco and Washington to find out how many people would dare to do something risky. In one out of five attempts, users couldn’t resist, picked up the drives and engaged in fairly dubious activities such as opening files, clicking on unfamiliar web links or sending messages to a listed email address.

Still a long way to go

One would assume that in the digital era, people are more aware and cautious in terms of safeguarding data and their user behavior. However, the stats tell an entirely different story. In fact, the opposite is true.

Findings based upon CompTIA’s research also revealed:

  • 63 percent of employees use their work mobile device for personal activities.
  • Age matters a great deal as far as cybersecurity awareness goes. Baby boomers, Gen X and millennials each present unique security challenges and risks to organizations.
  • 42 percent of millennials have had a work device infected with a virus in the past two years, compared to 32 percent across all employees.
  • 40 percent of millennials are tempted to pick up a USB stick found in public, compared to 22 percent of Gen X and 9 percent of baby boomers.
  • 27 percent of millennials have had their personal identifiable information hacked within the past two years compared to 19 percent of all employees.
  • 41 percent of employees do not know what two-factor authentication is.
  • 37 percent of employees only change their work passwords annually or sporadically.
  • Only 4 percent of respondents polled said that their first action, upon discovering their systems have been hacked, is to contact the authorities.

Recommendations

These numbers are eye opening and clearly underline the necessity for individuals and businesses alike to take security more seriously.

Organizations should think along three major categories – people, processes and tools – in order to come up with a holistic, 360-degree conceptual framework of measures to combat cyber threats. This includes more emphasis on education and awareness, especially for young talent. Without regular training and rehearsals, people are otherwise likely to fall back into old behavioral patterns. Guidelines on the other hand will give people clear orientation on what to do and whom to contact – for example, in case a device has been found somewhere. The usage of security tools, especially mobile endpoint and device management solutions, is paramount. These tools typically come along with encryption, antivirus, authentication, inventory management functionality, etc., and aid in enforcing policies across the organization in an automated fashion in order to safeguard data and prevent outsiders from unauthorized access. Wherever possible, organizations should use two-factor authentication rather than solely relying on passwords.