Millennials, also known as Generation Y (after Gen X) and Generation
C (for Connected), should perhaps be called Generation Leaky, at least
according to some experts.
Various surveys have found that workers
born between the early 1980s and early 2000s are much more concerned
with productivity and convenience than security, to the point where they
will ignore IT directives or work around what Adweek blogger Kimberlee
Morrison called called, “clunky security mandates.”
That is also the view of security executive Chris Rouland, who declared in a recent Dark Reading post that Milliennials, “have no interest in protecting their data.
“They
will pay double for organic bread,” he wrote, “… but they place
seemingly no value on the integrity and security of their personal
identifiable information, let alone the consequences a hack could have
on their friends, families, colleagues and employers.”
He noted that the recent breaches of Yik Yak and Snapchat
didn’t reduce the use of those apps. “Leaked personal photos and
private information seem to not just be tolerable in this demographic,
but almost expected,” he wrote.
Indeed, CSO recently reported that
studies have found that some workers put more importance on sharing
information about themselves than in making more money.
The
security implications of such attitudes could be large. Ages 22-24 are
the top three in population in the U.S. And with Boomers and Gen Xers
moving toward retirement, Millennials are about to become the largest
generation in the workforce.
If they really don’t care about
security, it would seem they will be creating an expanded threat
landscape that will be a hacker’s dream and an organization’s nightmare.
And some experts argue that it is indeed that bad, for a number of reasons: Need for speed
Andrew
Avanessian, executive vice president of consultancy and technology
solutions at Avecto notes that, “Millennials are the most connected
generation in history, and with that comes this new mentality where
everything should be instant – information and communication at the
click of a button.” Andrew Avanessian, vice president of professional services, Avecto If security protocols interfere with that,
they’ll go with speed and convenience. “The likely result is that
they’ll bypass those settings completely, or turn to another, unsecure,
platform that doesn’t have those perceived barriers,” he said. The personal/professional merge
“Millennials
link everything from financial accounts to very personal information
from social media apps everywhere, on every device,” said Tom Bain, vice
president of Security Strategy at CounterTack. “Sixty percent of all
mobile attacks are capable of stealing money from Millennials,” he said,
noting that mobile attacks globally are growing by a factor of 10 every
quarter.
“So the more data that is available, mostly on mobile
apps and devices, the better the opportunity for hackers to hack
individuals and ride those coattails into corporate networks freely.”
Avanessian
added that today’s digital workers like applications that are, “sleek,
intuitive, and have the same look and feel as products they're already
familiar with. This is why we see many employees using platforms such as
Dropbox or Skype for business purposes. But these kinds of applications
were largely designed with the consumer in mind – not for the business
professional who might be handling sensitive content.”
[ Building the security bridge to the Millennials ]
That
extends to devices, according to Raj Dodhiawala, senior vice president
and general manager at Mantech Cyber Solutions International. “I know
Millennials who want to use their personal devices at work because they
are more powerful and capable than standard issue desktops,” he said. Ignorance isn’t bliss
Dominique
Singer, principal of Security Solutions Architecture at Hexis Cyber
Solutions, contends that Millennials are poor at security not because
they don’t care, but because they don’t know enough to care.
“They
have grown up in a world of ‘data everywhere’ and ‘information
everywhere,’” he said, “and have been conditioned to expect easy access
to any kind of data, especially social media. They haven’t been
conditioned, or even slightly educated, on the importance of protecting
their data.”
[ How security smart is Generation Y? ]
Dodhiawala
added that while Millennials do care about protecting their data, “they
just don’t have a good sense for what constitutes private, personal or
sensitive data.
“Putting their date of birth on Facebook is
considered routine, for example,” he said. “Intuitively, they share
first, and protect minimally.” A matter of trust
Millennials
tend to trust technology more than they should, according to Bain.
“They just have implicit trust in apps, carriers and the devices they
use, that anything they do or say is protected. They are 99% blind to
the growing threatscape,” he said. Pushing for privileges
Along
with the expectation of instant communication comes the expectation of
easy access. Avanessian said Millennials have grown up in an online
world where access was always easy and immediate, and bring those
expectations to the workplace, in the form of demands for elevated
privileges.
Raj Dodhiawala, senior vice president and general manager, Mantech Cyber Solutions International.
“We conducted a survey a couple years ago that
found that male employees between the ages of 25 to 35 years old were
most likely to demand elevated rights,” he said.
And while that
may improve productivity, “the problem is that it gives users the
ability to make system tweaks or unauthorized application downloads.
This significantly increases the potential for malware to invade the
system and open the entire corporate network up to vulnerability,” he
said.
***
While there is little disagreement that
Millennials exhibit those vulnerabilities, other experts say they are
not alone – that older workers can be just as bad.
Armond Caglar,
senior threat specialist at TSC Advantage, agrees that the majority of
social media users, who willingly surrender their personally
identifiable information (PII), are Millennials. But, he noted, millions
in other age groups do so as well.
He said LinkedIn, the career
networking site, tends to be used by older workers and is arguably more
dangerous than Facebook or Snapchat since, “the biographic, educational
and personal data that is volunteered here is way more valuable to a
potential adversary than an Instagram shot of a Millennial’s brunch on a
Sunday morning.”
Cagler is also among numerous experts who have
pointed out that many corporate executives, “ignore the perils
associated with using free Wi-Fi or willfully abandon certain security
best practices when traveling internationally.”
Andrew Deacon,
channel sales engineer EMEA at Hexis Cyber Solutions, also said he
thinks the issue is larger than a single demographic group. “It is how
technology and social media has changed the rules of society,” he said,
arguing that online and face-to-face interactions are, “totally
different.”
Most people would never give a stranger on the street
their banking information, even if he promised to put money in their
account. But online, “a lot of people would send their bank details.”
That,
he said, is because, “online, we lack non-verbal communication cues
that subconsciously give away a person’s true intentions. We have also
been told from an early age to be wary of strangers offering you candy.”
Online, “most people share all sorts of data and nothing bad happens right? So they think it must be safe.”
And
Perry Dickau, director of product management at DataGravity, said it is
human nature to ignore risks that haven’t caused any damage yet.
“Many
organizations still choose to be reactive to situations rather than to
proactively try to prevent them, and why should they? From their
perspective it’s a tedious, costly proposition with questionable yield,”
he said.
Dickau and others say that blaming Millennials is not going to fix the problem – it will take an organization-wide effort.
“For
data security solutions to actually work, it’s extremely important that
they don’t disrupt user productivity – in fact they should promote
their freedom. There are technologies out there that can achieve this,”
Avanessian said.
Dickau said it will take a combination of
technology and awareness training. “Fundamentally, data is exposed and
vulnerable at the moment it is created, by default creating a
requirement to protect and secure it whenever it is stored,” he said,
adding that while training is also crucial, “it is just another piece in
the overall security puzzle.
“Technology will only supplement the
human element in any security, privacy, and compliance equation,” he
said. “The two elements need each other to work successfully – one
cannot replace the other.”
Bain does not see that happening on a
broad scale anytime soon, however. “It will get worse before it gets
better because organizations can’t change behavior with security policy
enforcement,” he said. “Saying ‘don’t’ will just make them want to do it
more, and productivity will decrease if employees aren’t able to use
their social media accounts at work, or talent will go where the
environment is more open.”
No comments:
Post a Comment