One in six US employees who find lost USBs use them

Some 17% of US consumers picked up USB sticks they “found” and plugged them into their devices, opened the text file and either clicked the unique link or emailed the listed address, according to an experiment by The Computing Technology Industry Association.

The association conducted a social experiment to observe consumers’ cybersecurity habits when faced with found USB sticks. The research team set out to test the hypothesis that, despite the frequency and highly publicized nature of cyberattacks and data breaches, many consumers still exhibit poor security hygiene, unintentionally placing their devices and data at risk.

The study also shows that consumers’ technology literacy was not a determining factor for whether a USB stick was picked up.

“Blindly trusting found USBs – or unprotected Wi-Fi networks, or emails from unidentified third parties – puts more than the individual at risk,” researchers say. “As the findings show, even the most IT literate end users can make precarious decisions when faced with potentially suspicious technology, demonstrating how challenging it can be to instill strong cybersecurity habits (not merely knowledge).”

According to the experiment, 58% of US employees rely on USB-based storage drives to transfer files across devices. This presents more than a few security risks, especially given users’ propensity for using unfamiliar USB storage devices.

In the experiment, 200 unbranded USB sticks were dropped across high traffic public spaces – such as airports, coffee shops and public squares in business districts – including Chicago, Cleveland, San Francisco and Washington D.C., from August to October of 2015. The sticks were programmed with text files prompting anyone who plugged the found USB sticks in to email a specific address or click through a trackable link.

A US government study from 2012 showed that some 60% of the people who found USBs picked them up and plugged the devices into office computers.