Jon Fielding, Managing Director, EMEA, Apricorn, looks into the new risks in the next-gen workplace.
With the oldest members of Generation Z, born in the 1990s, turning 21 and entering the workplace for the first time, most organisations could soon have four generations working alongside each other who have grown up in vastly different technological eras. As a result, many employees will have different day-to-day expectations, priorities and preferred working practices.
How best can enterprises protect their data and information from breaches and losses against this backdrop? It will mean, first of all, gaining a thorough understanding of this multi-generational workforce.
Myriad reports and books are available today that contrast one generation or another with previous cohorts. It's typical to hear that Gen Z in particular will expect to work collaboratively yet independently, using many of the sophisticated tech tools and platforms they already trust. Many, naturally enough, may also expect to receive regular feedback via those tools in near-real-time.
Some younger people may have had data safety lessons in the classroom and be more cautious than, say, Gen Y as a result. Others may simply use the latest tools automatically, without thinking much about it, because they've grown up with them. Flowing from their experience of being 'always on' or connected via digital technology, some may take its use or even existence for granted, as this article illustrates.
The younger cohort may struggle to understand workplace policies that restrict their use of these technological tools – introducing new risks for the prudent CISO to consider. In addition, their behaviours and expectations may conflict with those of older generations in the same workplace, causing unnecessary friction.
So, concomitant with this newly diverse workforce, we can expect to see new and enhanced cyber security risks – with the pressure ramped up by broader trends such as working from home or remotely, or simply as a consequence of the existence of varying technology skill sets across the business.
Data must be kept safe wherever it goes
In a 2019 survey by Apricorn, almost half of organisations admitted their mobile workers had knowingly put data at risk, while nearly a quarter said they couldn’t be certain their data was secure when used in a remote working environment.
At the same time, the UK Information Commissioner’s Office (ICO) has begun to flex the new powers it has under GDPR, hitting British Airways and the Marriott hotel chain with massive fines of £183.4m and £99.2m respectively. It has become imperative for all organisations, of whatever size, to follow the latest rules on data protection and handling of personal data.
Specific and comprehensive policies that cover mobile working are needed in this environment, and should be put in place as soon as feasible. These will keep data safe on the move while enabling the entire workforce to work productively, efficiently and flexibly – especially important when younger employees may assume they are able to do this anyway.
The good news is that the approach does not need to be overly complex, or centred on costly and sophisticated solutions: the best way to safeguard data is still to get the basics right.
To a large degree, some elements of 'human risk’ can be eliminated by developing policy and practice that mandates the use of corporate-approved removable storage devices.
We're talking, of course, about encrypted USB drives or secure external hard drives that come with PIN or biometric authentication such as fingerprint access. Some may argue that it's easier to simply store everything in the cloud. The trouble with that idea is that it's also very easy for leaks to occur via cloud storage.
Others recommend simply storing everything securely on endpoint hardware, such as business-owned and managed smartphones, laptops or tablets. But hardware is typically only as smart as the software that runs on it – and sometimes people prefer to use their own hardware as well, whether permitted by their employer or not.
It's good practice to encrypt and secure all your smartphones, laptops and tablets. Emails too should be encrypted, whether they're coming in or going out. In addition, the enterprise should layer up: mandating the use of encrypted USB drives or secure external hard drives with appropriate authentication tools.
Training for all staff should ensure the use of such tools becomes the default behaviour at all levels whenever data or information might be moved around, either within the business or externally. This should be the case whether employees are working on projects at home or in another office location beyond the VPN or corporate firewall.
It's crucial to design the right security strategies, cultures and policies to address the whole range of potential risks and behaviours within the multi-generational workplace. We've found that there is low take-up of the appropriate USB technologies – so there's plenty of room for improvement in many companies.
Talking and teamwork
Educating all employees at all levels, and from all generations, about good security practices is essential. This means developing and enacting a strategy that ensures everyone understands the importance of data protection and is regularly updated with the right skills to keep information safe.
Timely, clear communication at all levels, beyond simply setting correct behaviours and explaining why they're necessary, is also vital. Everyone, across the whole organisation, should be encouraged to talk about security. This means not only sharing ideas and feedback to help cyber security teams, but asking questions and applying the answers.
All resources should ultimately work together to help cyber security teams understand and drive overall business goals.
This can be taken further. Building a diverse security team with a full range of skill sets and perspectives is a highly effective strand of overall strategy when defending an organisation against cyber-threats. It should go without saying that to consider all possible vectors in a multi-generational workplace, IT leaders should also consider recruiting talent – capable of bringing diverse perspectives – from other departments and even industries.