Tech-savvy doesn’t always mean security savvy.
There has been much recent coverage of the impact of Generation Y, or Millennials, on information security.
The lack of security awareness of younger workers (typically aged 18 to 30) is widely seen as a growing cause for concern – and it should be. By 2020 Generation Y will account for 50% of the working age population.
The topic was also covered at Infosecurity Europe 2014 in April which Ascentor attended “an entire session was held to explore ways to engage Generation Y with information security” suggesting that Generation Y worries less about information and IT security than the generations before them.
So, what’s the problem with Generation Y?
A very tech-savvy “Google and Facebook” generation – Generation Y professionals are mixing their personal and work information on social media sites, bringing their own devices to the office and downloading content at work. Indeed many now consider it perfectly normal to use the same apps and downloads they might use at home to create “workaround” solutions in the office. Inevitably, this only increases the risk of workplace information security breaches.
What’s more, research by security firm ESET found that almost a third of Generation Y professionals either didn’t know or believe that their employer has an IT security policy – while 52% were unaware that stolen data could be used against their employer – and half of the respondents thought it was the responsibility of the business to guarantee the safety of data.
All of this suggests we have reached a state where Generation Y is so used to sharing information and bringing their own devices into work that there appears to be a real naivety towards security. Tech savvy doesn’t always mean security savvy.
The BYOD and mobile threat
Cisco commented in its 2014 Annual Security Report that cyber criminals and their targets share a common challenge – both are trying to understand how to use the growth in bring-your-own-device (BYOD) and mobility to their advantage.
The report highlighted two main security issues that apply to the mobile habits of Generation Y:
- It’s getting easier to design malware for personal smartphones, tablets and other mobile devices – which are used more and more inside and outside of the workplace. The report had particularly bad news for Android users (and potentially their employers too). 99% of all mobile malware in 2013 targeted Android devices.
- The growing usage of mobile apps at work without any thought of security.
Even when policies are in place to manage personal devices, there are always those who feel it doesn’t apply to them. Research by Fortinet in 2012 found that a third of Generation Y would ignore a policy banning their personal devices from the workplace.
Certainly, Generation Y presents the biggest BYOD challenge but the problem goes even further. After all, anyone can leave their mobile device or work laptop in a taxi – or the pub.
Let’s just bypass IT all-together
To make matters worse, there are growing instances of app-aware Generation Y workers creating their own cloud-based solutions to solve perceived IT constraints.Their view that employer-provided IT solutions are outdated, and the IT department consists of dinosaurs leads them to bypass the “system” altogether, including the information security.
Research by content-sharing platform Huddle cited use of cloud services such as Dropbox as a typical occurrence – with the 18-24 and 25-31 age groups being the worst offenders. As any IT department will know, such services aren’t always the most secure of file-sharing platforms.
Accordingly, this all creates another potentially damaging security issue. Organisations may no longer know where their data is stored as their own employees, particularly the younger ones, are deciding what to put where. Sensitive information could literally be stored all over the place.
What can be done?
Ascentor’s view is that Generation Y and its apparent lack of security mindfulness does present a problem – but it’s yet another example that people (of all ages) are an organisation’s “weakest link” and pose the biggest risk to information security.
Employers have a big challenge with Generation Y “they need to attract the best new talent to bring IT expertise and technical capability to their organisations” and at the same time reign in the relaxed attitudes towards IT policies and security that may come with it.
Here are a few suggestions that will help reduce the security risk posed by Generation Y – while also being common sense approaches for all employees.
Educate and communicate: Younger workers will need educating on the importance of security within the workplace – addressing how they use their own devices and social media inside and outside of the workplace.
For many, it will be the first time they’ve ever been aware of the threats posed to organisations, so cyber-crime awareness and what they can do to prevent it must be properly explained and communicated, – but in a way they can relate to.
It’s best to be brief, – provide small chunks of information on an ongoing basis and be personal in your style of communication. Make sure they know it applies to them but in an accessible and engaging way. Stress why it’s important instead of being heavy on authority. No one likes to be read a rule book.
BYOD: Change has happened, people are used to BYOD and won’t want to stop. Any lock-down approach will anger and frustrate and is likely to be ignored.
Your BYOD policy must support the business and must make sense. It should define your processes and procedures to protect intellectual property and sensitive information.
Everyone should know what will happen if a device is lost or stolen. The backup actions and responsibilities must be clear.
For the Ascentor 6-step BYOD plan, please click here.
You can also take our online risk assessment health check here and discover where the main information risks lie in your organisation.
Remember – a cyber criminal’s dream doesn’t have to be your worst nightmare
Ascentor has many years’ experience of helping clients identify and mitigate their security risks. The issues are constantly changing and are as much about people as they are IT – as this article demonstrates.
If you know the risks to be aware of ” and how to respond” your organisation can focus its efforts on achieving its objectives rather than trying to put right costly mistakes when it’s too late. That’s where we can help.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.