Don’t laugh. Almost one in five (17%) of the 200 people who recently came across one at random—in an airport, coffee shop, or public square in Chicago, Cleveland, or Washington, D.C.—plugged it in, then proceeded to open a text file and click a link or email an address in it.

If this weren’t part of a harmless “social experiment” conducted by a team of researchers from trade association CompTIA, the results could have been disastrous, inviting trouble like viruses, malware, and security leaks not only into people’s own devices, but their employers’ networks too.

The really discouraging part, notes CompTIA’s new study on cybersecurity, is that even techies who surely knew better let their curiosity get the best of them.

At the airport in San Francisco, for example, a number of IT industry workers found and plugged in the sticks. “In fact,” the report says, “a security office located within a multinational corporation’s office building also found a stick and emailed the alias address.” In their emails, a handful of respondents even asked if the USB had a virus on it, which is a bit like asking the guy stealing your wallet whether his gun is loaded. At this point, are you sure you want to know?

Evidently, companies bent on protecting their data, and that of their customers, need to do more training. CompTIA’s poll of some 1,200 U.S. employees found that almost half (45%) get no cybersecurity training at all. “Even when companies do ‘train’ people, it’s usually cursory,” says Todd Thibodeaux, CompTIA’s chief executive. “New hires get a brief lecture about social media sites and personal email, with no discussion of more complex issues like the hazards of unlocked mobile devices, public wifi, and using the same password for 10 different sites.”

About 70% of those surveyed use public wifi for work, while only 34% report having a unique password for each site they regularly visit. Millennials are the most careless about security, the report says, and are more likely than any other generation to use their work devices at home (74%), on the go (73.5%), and for personal activities (79%). It’s no coincidence, the study points out, that almost half of American adults say their computers were hacked last year.

But even if employers did a far better job of explaining that, to use Thibodeaux’s words, “it’s everybody’s job to protect their company’s network, not just the IT department’s,” knowledge alone isn’t enough. If it were, techies wouldn’t be plugging in strange USB sticks they found lying around in airports.

“Behavior changes really only happen through repetition, follow-up, and emphasis,” says Thibodeaux. “It takes a long time to instill new habits.”

The employees in the survey apparently agree. Almost all (97%) said that cybersecurity should be part of the basic curriculum in grade school. Between the ages of 11 and 13 would be a good time to start, according to 42%. About one-third (30%) believe that “between the ages of 5 and 10” would not be too soon, giving kids a decade or so to practice caution in cyberspace before they join the workforce.