Not all millennials approach privacy and security with the same attitudes. As Tom Brewster discovers, regardless of age, a one-sized-fits all approach to information security is not the solution
Throughout the history of humankind, certain curmudgeonly types have claimed they are living through the decline and fall of civilization, brought about by a reckless, indulgent youth. Similarly, within business, there is a fear among organization elders – especially those hoping to secure the company from outside threats – that youngsters will bring about their employer’s demise.
It would be easy to disregard the complaining cranks, but there’s much evidence that younger generations are less caring about privacy and do less to protect their data. Many of those now entering the workforce will have grown up with Google as their guide and Facebook as their central social space, where they happily post personal details that would make many older generations blush. At the same time, cybercrime has continued its stratospheric rise, while security skills remain scarce.
Information security chiefs therefore have a right to be grumpy. Not only do they have to ensure the so-called millennials don’t threaten corporate privacy and security with their hyper-open attitudes, they have to ensure they don’t limit the most technologically literate generation in their workforce.
Reckless Youth
The Ponemon Institute has been tracking global attitudes about privacy for the last nine years. It has consistently found younger generations to be more careless with their privacy. Larry Ponemon, founder of the eponymous research organization, tells Infosecurity that millennials – those aged 30 or below – are more likely to fall into the ‘privacy complacent’ and ‘privacy sensitive’ categories. Those who are complacent openly do not care about keeping their data private, whereas those in the sensitive category say they are worried about it but do little to actually protect it.
Ponemon has also found those between 30 and 50 years of age are the most ‘privacy centric’, understanding the issues and taking action to protect their personal information. Those heading towards, or in, retirement tend to be on the sensitive side. “One reason is that younger folks have a general view that their privacy is long gone. They don’t seem to be harmed directly by it”, Ponemon says.
Many of the differences, says Alan Woodward, a professor in the Department of Computing at the University of Surrey, stem from differing levels of suspicion. “The trouble is the millennials don’t realize how open the internet really is”, he says. “Whereas someone like me tends to treat the internet such that they don’t put anything online that they would not wish published in a newspaper, youngsters tend to believe they have a conversation with a few of their ‘friends’ without realizing that it might be visible to all.”
Reactions to the Edward Snowden revelations on mass surveillance, itself a case of a young insider causing a serious security incident, have proven members of every generation are outraged when the government tramples on people’s privacy. But youngsters are clearly happier to be tracked by commercial organizations, Woodward adds. “I tell youngsters that nothing is free and that on the internet, if you are paying you are the customer, but if it’s ‘free’ you are the product...I hope there will be a line that youngsters will not allow online companies to cross.”
Attitudes are not always stable either, Ponemon studies have shown. “If you’re privacy complacent you’re not there for life. Similarly if you’re centric, you could shift to sensitive. People who are shifting from bottom to the middle are doing so because something bad happened to them”, Ponemon adds.
Privacy and Security: Together at Last
These differences in respect for privacy can have serious implications for the security of an organization, according to Ponemon. “One indicator of privacy centric individuals is that they’re willing to do good security. If they have a laptop they have anti-virus that is reliable, they change passwords and use complex ones. They may not be big users of social media, but if they do it, they use the highest privacy settings.”
Security firm ESET found the youth of today aren’t particularly interested in security anyway. Almost a third of Gen-Y professionals, those aged 18 to 30 years old, either don’t know or don’t believe their company has an IT security policy, while 52% are unaware that stolen data could be used against their employer. Half of the 1000 Gen-Y respondents said they believed it was almost always the responsibility of the business to guarantee the safety of data. This combination of irresponsibility and ignorance can present serious problems for security chiefs.
"Younger folks have a general view that their privacy is long gone" |
Larry Ponemon, Ponemon Institute |
Older generations, meanwhile, are far from flawless. For all their caution with privacy, they tend to be more trusting of people, even those trying to trick them. “They are just as vulnerable, if not more so, as they tend to trust people online when they say something: they take people at face value”, says Woodward. When it comes to threats like spear phishing, this is a major concern.
Access Denied
Other significant differences between older and younger generations lay in their usage of IT and adherence to policies. Shadow IT, the use of applications without the permission of IT departments, has been a growing problem. Huddle, a British content sharing platform provider, has seen many such cases where employees have adopted its technology without getting clearance. Often, it’s the younger workers circumventing IT.
“When it comes to using technology in the workplace, younger generations aren’t used to constraints and being restricted by an IT department. They don’t want to be pigeonholed by the expected way of communicating and, having grown up with technology at their fingertips, they won’t put up with poor legacy enterprise technology”, says Huddle CEO Alastair Mitchell.“Not having 24-hour access to corporate data will be a foreign concept to millennials and, if they’re not satisfied with the enterprise technology offered to them, they’ll find something else to use and bypass IT all together.”
A Huddle study discovered the 18–24 and 25–31 age groups were the worst offenders for stashing corporate documents in personal cloud services. While 16% of office workers used Dropbox to store work documents, that rose to 31% of 18–24 year olds and 24% of 25–31 year olds. As any CISO knows, Dropbox is not the most secure of file-sharing platforms.
Office workers aged 18–24 years old were also deemed the worst culprits for taking business data away with them on personal devices. Almost half said they kept work documents on personal laptops, with 23% storing work files on their personal smartphones.
“Clearly, companies are facing a huge security issue”, Mitchell adds. “People – particularly the younger generations – are storing enterprise-related information all over the place. Companies now have no idea where their content is kept or who has access to it and risk having their intellectual property walk out of the door with people.”
Education, Education, Education... and Technology
A blunt instrument, or a one-size-fits-all approach, will not help security professionals cope with the varying demands and risks concomitant with different generations. “Each scenario presents different challenges in regards to methods of deployment and existing security knowledge amongst staff”, says Mark James, technical team leader at ESET UK.
“All staff in any workplace, regardless of their demographic, need to be educated in security. However, younger staff, with their entire careers laid out ahead of them, will need to be paid particular attention.”
All age groups need to understand that data held in an ostensibly private secure online environment is not always private or secure, James adds. Training on spear phishing, recognizing an email-based threat, or any other kind of danger, will be a great boon to any organization too.
Outside of better education, there are technologies that can better accommodate youngsters and keep others happy. Full social collaboration platforms, with Facebook-like features such as groups and news feeds, can provide an enjoyable and secure place to share company data. More innovative approaches to identity management, letting workers access their applications via single sign-on from any device, will make corporate applications far easier to use.
Yet that kind of access management is often expensive, says Andrew Kellett, principle analyst for security at Ovum. “Identity management systems have been complicated, difficult to administer and employ”, he admits. “That type of technology... doesn’t get done because it is too costly.”
For those who can’t afford it, doing proper risk assessments, and determining where access threats are significant with quality intelligence, can help decide where to apply stronger authentication, Kellett says. He recommends attempting to do this on an as-a-service basis, thereby further reducing overheads. “Make it so it’s as seamless as possible. Then you may overcome the need for people to bypass IT.”
The easy approach to dealing with the new technologies and open attitudes youngsters bring with them into the workplace is to limit them as much as possible. But in adapting to their needs, security chiefs can welcome potentially efficiency-boosting technology into the business, while improving privacy for all.