The Millennial Security Risk
Millennials more likely than their baby boomer counterparts to engage in risky security behavior, report finds.
Millennials (ages 22 to 31) are now the single largest generation in the U.S. workforce, according to the U.S. Bureau of Labor Statistics. While hiring managers might be happy about the infusion of new energy and ideas, security staffs may not feel the same way.
Millennial employees are more likely than their older colleagues to behave in ways that put corporate data at risk, according to a new report by Absolute Software.
Sixty-four percent of millennials use employer-owned devices for personal use, for example, as opposed to 37 percent of baby boomers. In addition, 35 percent of millennials modify their default settings, compared to just 8 percent of baby boomers.
Respondents seemed to recognize such activities create risk, the survey found. When asked, 27 percent of millennials admitted accessing "not safe for work" content such as public WiFi, personal email and social media sites on devices used for work, versus only 5 percent of baby boomers. And 25 percent of millennials said they believe they compromise IT security, compared with 5 percent of their boomer counterparts.
Other surveys have yielded similar results. For example, a study by Aruba Networks found six in 10 of millennial workers regularly share their work and personal devices with others, and 22 percent said they have no security measures in place for their devices so they can share them more easily.
Millennial attitudes toward workplace security differ from their older colleagues because millennials are digital natives who practically grew up online, said Stephen Midgley, Absolute Software's VP of Marketing.
Security Policies Need Teeth
The big takeaway for IT security teams is the need for more flexible security policies, Midgley added.
"Because millennials grew up in a connected world, their expectations are different than those of previous generations. As millennials move into the workforce and up the corporate ladder, organizations need to be more adaptive with security policies," he said. "Gone are the days of having one generic policy for all employees. More progressive organizations are looking at having policies that allow certain flexibility in how employees use technology but also provide guidelines around clear ramifications."
Ramifications are important, Midgley said, given two other statistics from the report: Half of respondents said security was not their responsibility, and 30 percent said there should be no penalty for losing company data.
"If I was the head of IT, those data points would scare the heck out of me," he said. "IT is often accountable for data security yet not directly responsible for devices that contain company data."
Ramifications for risky security behavior are usually based on an industry's regulatory environment and an individual company's culture, Midgley said, adding that some of Absolute Software's customers charge the cost of stolen or lost devices back to department heads or even individual employees.
"That's a quick way to send a message to your staff," he said.
Absolute Software suggests a three-pronged approach to mitigating workplace security risks, including creating and implementing policies designed to address different types of employee behavior, providing employee education on security best practices, and using technology that offers a layered approach to data security with elements such as encryption, anti-malware and remote endpoint security capabilities.
Not surprisingly given the nature of Absolute Software's product lineup, Midgley said the most important feature for endpoint security technology is the ability for IT to maintain control over devices.
"With mobile workforces that are telecommuting and sometimes traveling around the world, IT needs solutions that ensure constant connection to that device and the data on it," he said. "Though every device should have encryption, there is no way of verifying it is properly installed and properly activated. IT needs a digital tether that allows it to take action if it believes a device poses a risk to the organization's security."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.