A generation of employees have grown up with digital technology. Does this mean that their online behaviour is more or less secure?
Millennials. They grew up with digital technology so they must understand how to use it. Of course they know how to keep cyber safe.
Millennials. They are at the start of their careers and most of them still behave like kids, happy to take risks with little thought for the future. Of course they behave insecurely.
Which of these views is the more realistic? According to new research from Centrify, if you listen to decision makers, you will hear that younger employees are responsible for most breaches and that they are often too relaxed about security.
That might be true. After all there is lots of evidence that older people are more risk averse.
Also of interest: Spotting spoof emails
Millennial cyber naivity?
But is it true for cyber security risks? It depends who you talk to. There is some argument that younger people are more naïve about cyber risk and that is why they cause problems.
At a meeting in London last week, hosted by Centrify, we were introduced to Woody and Kleiny, two young (a lot younger than me at any rate) online media stars with several million social media followers.
Talking about a time when their Instagram account was hacked, Woody (or was it Kleiny?) said ”We didn’t know what to do, so we contacted Instagram. They were amazing and luckily they could get all our content back for us”.
Yes, they were lucky. You have to wonder whether Instagram would have been so obliging over my Instagram account (followers: 0).
But how did the hack happen? That wasn’t made clear but if I took a guess I’d say they were relying too much on Instagram’s security and not enough on their own office security. For instance, they emphasised that they would never share passwords via a social media app (you’d hope they wouldn’t share them at all!) Instead there was talk about passwords written down on paper.
So perhaps the research is right. Younger workers are a risk to organisations. This was born out by the fact that only 18% of younger employees felt that social media posts could compromise security. And yet social media is a very real threat, as the US military acknowledge.
Also of interest: Importance of cyber training
Manager cyber ignorance?
And yet. The research isn’t conclusive. Some 15% of millennials admitted to sharing passwords with colleagues. For managers, the figure was very similar: 16%. And only 7% of millennials admitted to visiting dodgy websites, compared with twice as many managers who did.
In addition 15% of managers admitted to removing corporate information from the company, compared with half the number of millennials. And one in eight managers use work devices to visit gambling sites (sources of much malware) compared to one in twenty millennials. Clearly managers are not leading by example.
Protection with policies
Whoever is to blame, it is clear that organisations need to protect themselves from their employees at all levels.
The first thing they should do is to create readable policies that explain what counts as acceptable, safe behaviour, and what doesn’t.
Unfortunately while most companies have security policies, a substantial minority of younger workers (one in four) don’t follow those guidelines strictly. Frankly I am surprised that it is as few as one in four! Education about policies is weak in many organisations and rarely supplemented by effective awareness programmes and change-management programmes designed to change behaviour for the better.
And those policies often don’t go far enough. Only 40% of young employees said that their employer had clear social media guidelines. A lack of interest from managers will easily deliver a careless attitude among workers.
Unsafe cyber security behaviour by employees is rife across organisations. It involves the young and the old. And unless senior management take it seriously by putting in place clear policies backed up with education, awareness campaigns and the right motivations, that behaviour won’t change.
Image under licence from iStockPhoto.co.uk, copyright DisobeyArt