Centrify surveyed 1000 UK office workers aged 18 to 24 and 500 UK senior decision makers to measure what the decision makers think of the next generation workforce’s approach to security and compare it to real-world attitudes. Is there a significant gap between perception and reality in decision makers view of younger workers?
Centrify's CTO Barry Scott explained that the organisation were keen to carry out the research to find out more about the next generation of workers and how their behaviour could impact security in the workplace.
Centrify's CTO Barry Scott explains the vulnerabilities that some younger workers introduce into companies, primarily due to attitudes to social media and privacy.
"We wanted to find out the attitude of the 18-24 demographic and compare it with the attitude of the senior decision makers," said Scott "A third of decision makers thought this age group were the main culprits for data breaches, with 56 percent worried about password sharing. This really must stop because compromised credentials are the main cause of breaches in the workplace."
When it comes to social media, both Scott and SC editor-in-chief, Tony Morbin, believed that the main problem among the 18-24 age group was a lack of understanding about the potential dangers. The results showed that 21 percent of younger workers do not worry about how their social media activity might affect their employers, and 18 percent freely admitted that their posts could compromise security.
"It’s a shared responsibility," argued Scott. "Companies need to have a policy in place to say what is acceptable and what isn’t. And the company needs to protect people from themselves, by not allowing them access to potentially sensitive information."
This lack of awareness was a continuing theme with the majority of the younger generation having a "it won’t happen to me" attitude said Morbin.
"It’s actually incredibly likely to happen – and it’s a risk to our businesses. In fact, one of the statistics from another report suggested that small and medium enterprises are more at risk of going out of business within six months of being breached. So it’s really serious and it’s happening everywhere," said Scott.
What can be done to mitigate these risks?
"Companies need to have a reasonable plan in place for training so people respond to it, not just go through the motions. It’s good to remind people of the ‘real’ dangers and not to just look at it as a process of ‘ticking a box’," said Scott.
Scott also offered some useful tips and guidance on keeping your data safe. "Ultimately, it comes down to making sure your identities are secure. Using systems such as single sign-on, multi-factor identification and only allowing people access to the information that they need.
"We’re championing a framework called "Zero Trust Security’ at Centrify. The security industry used to have a castle and moat type approach to security – whereby everybody in the office was trusted and everyone on the outside wasn’t – but very few people are in the office nowadays. Zero Trust Security puts various processes in place. One is to verify the user, the second piece is to validate the device, and the third is to limit access, only allowing access to do the things that you need to do at that time," said Scott.
He also insisted on the importance of changing the perception that security procedures get in the way of people doing their work. Results showed that 22 percent of decision makers were most worried that next generation workers expected immediate access, implying that security procedures would inhibit productivity.
As a result, Scott explained the fourth piece of Zero Security; a combination of analytics, machine learning, user profiles and policy enforcement. Here, access decisions are made in real time to streamline low risk access, but if unusual behaviour is detected which hints to the possibility of a data breach, authentication requirements are stepped up to keep data secure.
The need for greater training was the overall conclusion that could be drawn from the survey.
Managers’ assumptions that next-generation workers are the root of cybersecurity problems in the workplace may be overstated, but there are some areas, such as social media use and password management, where younger workers do need extra mentoring. Decision makers can do more to address this problem by putting technical controls in place, refining security policies and communicating them effectively to employees. Equally important is leadership and the need for decision makers to set a good example.