New research commissioned by Centrify has revealed that more than a third of senior executives perceive that younger employees are the “main culprits” for data security breaches in the workplace.
More worrying is that the study also reveals that despite these concerns, the c-suite have taken little action to prevent their perceived ‘culprits’ from accessing critical data.
The study reported that over a third of 18-24-year olds were able to access any files on their company network and only one in five had to request permission to access specific files. Less than half (43%) were found to have access only to the files that are relevant to their work.
The study, conducted by Censuswide, sought the views of 1,000 next generation workers (18-24 year olds) and 500 decision makers in UK organisations to discover how security, privacy and online behaviour at work impacts the lives of younger employees and the companies that they work for.
While password sharing tops the list at 56 per cent as to what keeps decision makers awake at night, 29 per cent of younger workers reveal that they are in the driving seat when it comes to password changes with their employers leaving it to them to decide when they need a password change. Furthermore 15 per cent of them admit to freely sharing passwords with colleagues.
Attitudes to social media and online behaviour
Asked how younger employees could negatively impact the workplace, 47 per cent of decision makers admitted they worry about them sharing social media posts and the impact these could have on brand and reputation.
One in 5 employee respondents admitted they were not bothered about how their social media activity might affect their employers – and 18 per cent freely admit that their posts could compromise employers’ security and privacy policies. Less than half say their company has social media guidelines in place, highlighting the need for strong social media access controls that follow the principles of a ‘Zero Trust’ approach to security, which assumes that users inside a network are no more trustworthy than those outside the network.
When it comes to this generation of workers, 40 per cent of decision makers are concerned about their misuse of devices, while 35 per cent say they are too trusting of technology and 30 per cent worry they share company data too easily.
Young workers ‘too relaxed’, say senior executives
While 79 per cent of decision makers report having a strong security policy in place and 74 per cent of them think that their employees abide by it, over a third (37 per cent) feel that young workers are too relaxed about security policies.
Decision makers also say the next generation of workers have a good awareness of the Dark Web (87 per cent), underground hacking (79 per cent) and crimeware (81 per cent). Although around half (48 per cent) say they have strict guidelines in place for employees accessing these new ‘dark arts’, 39 per cent feel they could be better.
“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as older workers, but we must remember they are the business leaders of tomorrow and we must help not hinder them,” comments Barry Scott, CTO EMEA, Centrify.
“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies. If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself.”
Millenials don’t pose any special risks – but untrained staff do, say security experts
Cybersecurity Expert for leading IT Services provider ITCS, Wayne Harris said that his actual experiences don’t prove perceptions that millenials pose any more risk than other employees. Wayne said:
“The results of this study are concerning. It shows that our senior executives still don’t have a clue about cybersecurity and are making fear-led decisions based on preconceptions and judgements rather than actual risk assessments.
“All employees lead busy lives and are under occupational stresses that can lead to them making poor security decisions. While millenials may freely share passwords, older staff may leave them on a sticky note attached to their screen, ignore a virus warning or walk away from their desk without logging out, because they don’t appreciate the risks these practices pose. Every staff member should be viewed as insecure unless they have received security awareness training.
“Well trained staff add a layer of security protection, whereas untrained staff add additional risk – and no employee, including executives themselves, should have free access to more information than they need to do their job. If senior executives want peace of mind in a high-risk business climate, they should start by implementing robust security practices and investing in staff training for ALL age groups – urgently.”
Barry Scott, CTO EMEA, Certify agrees:
“Traditional network perimeters are dissolving and security professionals must adopt a Zero Trust approach that assumes bad actors are already on the network. With Zero Trust Security we verify every user, validate their device and limit their access to only the resources they need, and use machine learning to ensure the resulting improved security has no impact on efficiency. Let’s be clear that Zero Trust Security is not saying we’ve lost trust in our employees, but rather it enables them to work exactly the same way wherever they are, and provides the company with a stronger security posture.”