teissTalk: Developing an intergenerational security awareness programme

teissTalk host Thom was joined by Karandeep Bansal, Head of Information Security, Travelopia; Leanne Walker, Senior Information Security Specialist, Awareness & Engagement; and Karl Knowles, Head of Cyber and Service Delivery, HFW.

 

Views on news

 

Millennial and Gen Z employees are more relaxed when it comes to cybersecurity on their work devices than their personal ones, according to a new survey from Ernst & Young Consulting.

 

Experts call for the restructuring of corporate security strategies with human behaviour at the core and maintain that human risk must be at the top of the security agenda, with a focus on understanding employee behaviours and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise.

 

As always, context is crucial to understand why young generations have these attitudes – do they think it’s someone else’s job or don’t they understand the consequences?

 

Are they too overworked and underpaid to bother? There also seems to be a fatigue element, which security professionals can manage by making cyber hygiene important for everyone.

 

It’s also key to consider whether it’s a work-only device we’re talking about or one that the user can download their personal apps to. It may be a good idea to give employees a smartphone or laptop that they find more attractive, so they take better care of it

 

What benefits can an intergenerational security programme bring?

 

You need to embed security into the business culture for it to become everyone’s concern. Ease of use, which we are so focussed on, is one of the greatest behavioural risks for security. If using the same password around the place looks easier, we won’t bother to deal with a password manager.

 

Young generations’ irresistible urge to share information seems to outweigh the risks of sharing. Training and raising awareness are key, but so is culture, which will ensure that your employees are doing the right thing even when you’re not around.

 

Don’t put too much pressure on your employees by saying that they are the last line of defence or human firewalls. Explain to them that you have robust technology in place, but sometimes malicious phone calls or emails can slip through the security system and that’s why and when they must be on the lookout.

 

To motivate your people, you can give them cash rewards or recognise them at townhall meetings or make newsletter interviews with those who have reported threats. Intergenerational programmes are something of a taboo. Bringing in third parties to run security programmes can also guarantee better outcomes than in-house ones, especially in terms of gamification. 

 

For personalised, human risk-based training, however, it may be more worthwhile to develop programmes internally. While older generations are more exposed to smishing, where their mobiles are targeted, the highest risk for young people is social media.

 

 

The panel’s advice

 

If security isn’t sexy, you do it wrong.

 

Convenience will always trump security.

 

Your security campaigns are only as strong as your individuals are rewarded for pointing out things that don’t look right.

 

Employees will pick up bad habits that come from the top.

 

Make sure your people understand some of the intricacies of security and what you’re trying to protect.

 

Educate your employees the way you would talk to your family about cyber security. E-learning by itself won’t do the trick. ” Reach them before you can teach them.“