Businesses around the world find their workforces increasingly divided along generational lines.
As the baby boomer generation nears retirement, they find themselves in leadership positions managing workforces composed of millennials who approach the workplace with completely different attitudes than their own. In the realm of cybersecurity, several recent studies suggest that this tech-savvy generation is surprisingly naïve when it comes to protecting personal and corporate information.
In a mobile device security survey conducted by Absolute Software, 25 percent of millennials who responded say that they believe their digital behavior compromises the security of their organization. That’s a shocking figure on its own, but it becomes more surprising when compared to the 5 percent of boomers who reported similar behavior. That generational divide means that IT professionals must design security programs to compensate for these differences. Let’s look at five ways for organizations to tailor security controls to bridge the generational cybersecurity divide.
Lack of awareness surfaces as one of the common themes in studies about the security habits of millennials.
In addition to believing they engage in behavior that compromises the security of the business, members of this generation also feel that security is someone else’s responsibility. The 2016 Norton Cybersecurity Insights Report found that, on the topic of personal habits, nearly half of all millennials rely upon banks and credit card companies to protect them after a security incident. That same behavior carries over into the workplace, where the Absolute study found that 50 percent of respondents agreed with the statement, “Security is not my responsibility.”
Organizations seeking to change these attitudes should design security awareness efforts with the millennial generation in mind. Classroom training programs are not likely to get the message across effectively.
Consider using shorter snippets of information that tell clear stories about the effect of poor security practices on the organization.
For example, a series of short videos explaining the risks of downloading unapproved software would likely better convey the message to this group than a lengthy email.
Big Brother is watching. Almost every employee of a modern company knows that organizations have the right to monitor the devices and networks they own for illicit activity.
Despite that, more than a quarter of millennials surveyed by Absolute admitted to using work devices for activities deemed “not safe for work.” Such activities range from more innocuous distractions like social media to dangerous ones such as sexting, accessing adult content and downloading pirated materials.
In addition to strong awareness efforts, organizations should protect themselves from the security and legal risks inherent in that behavior by performing content filtering on their networks. Organizations may tailor the specifics of their content filtering to match a corporate culture but should, at the very least, block access to sites known to host dangerous malware.
SOURCE: Intercede, “Millennials Protest Against Ineffective Security Practices,” Aug. 26, 2015
More than a third of millennials modify the default settings on their company-issued devices, according to Absolute. That’s more than four times the rate of older employees, with only 8 percent of baby boomers modifying their system settings.
Those modifications may be harmless if users only tinker with desktop backgrounds, screen saver content and other innocuous settings, but clicking the wrong box in a configuration window can expose the organization to extreme risk by undermining desktop firewalls, full disk encryption and other security controls. Configuration management tools can address those risks by restricting the settings available for user modification and requiring administrator intervention to adjust parameters.
Millennials increasingly see their work-issued devices as multipurpose tools that allow them access to cloud-based services.
In the Absolute study, 64 percent of millennials admitted that they use their work devices for personal activities.
If those activities include file sharing or playing games that open firewall ports, corporate secrets stored on the device may be at risk. Administrators should encourage users to separate business and personal use on devices. While some personal web surfing is inevitable, users should leave software installation and other, more risky activities for their personal computers.
The study by Norton found that millennials are most likely to engage in risky password sharing, with 31 percent admitting to having given someone else access to their passwords. That statistic lends credence to a rising belief in the security community that passwords simply aren’t sufficient for high-security applications.
Organizations should consider deploying two-factor authentication controls that require users to demonstrate that they have physical possession of a smartphone or security token before they’re allowed access. Two-factor authentication solutions have risen in popularity recently while falling in cost.
The generational gap between millennials and baby boomers is visible in a variety of ways. It’s clear from multiple studies that millennials approach cybersecurity issues with a much more laissez-faire attitude than older employees. Design information security controls with that in mind.