Those fresh-faced new hires and interns who have invaded the office this summer bring with them eager minds and new perspectives, but they also carry a higher data security risk.
A study on U.S. mobile security by Absolute Software shows that Millennials -- many of whom are now joining the workforce -- hold the greatest risk to data security over other age groups. Shorter-tenure and younger respondents tend to have lower expectations of their own responsibility for corporate security, according to the study of 762 U.S. workers who use employer-issued mobile devices, including laptops, smartphones and tablets.
Even more shocking, half of all respondents to the study say that data security is not their responsibility, and 30 percent believe there should be no individual penalty at all for data lost from a mobile device.
“Millennials have a different perspective of how technology is being used,” says Stephen Midgley, vice president of global marketing at Absolute. “Part of it is a cultural divide in organizations between the older employee base, which we call digital immigrants, and new workers, the digital natives, who grew up with social media in an app-driven society and who have different expectations of how they should be used and consumed.”
This has many ramifications for companies, since nearly half of the workforce will be made up of Millennials by 2020 and will shape mobile use and data security policy going forward, according to a University of North Carolina study.
More than one in three American workers today are Millennials, defined as adults ages 18 to 34 in 2015. This year they surpassed Generation X, the workers before them ages 35 to 50, to become the largest share of the American workforce, according to Pew Research Center. Meanwhile, Baby Boomers, ages 51 to 65, are beginning to retire from the workforce but still maintain a strong foothold in leadership positions.
Midgley contends that organizations need to change and adapt their security policies to accommodate Millennials’ mobile practices. “Policies that may have worked five to 10 years ago may not be working today with this new crop of employees and contract workers,” he says.
Here’s a look at some of the ways Millennials put data at risk and what companies can do about it.
1. More Millennials use employer-issued mobile devices for personal use.
Almost two-thirds of younger employees (64 percent) check their social media or do online banking with their work devices, according to the study. While 37 percent of Baby Boomers are guilty of this, too, the difference is the level of risk that they’re exposing the company to, Midgley says. “Maybe the Boomer is sending emails to his or her spouse, or checking sports scores. Millennials tend to use more social media apps” without considering security configurations. “How many people don’t set privacy settings on Instagram and Facebook? The more often the device is used for personal use, the greater the exposure to the organization.”
2. Millennials modify their default settings.
More than a third of Millennials (35 percent) have worked around settings on their employer-issued device, compared to 22 percent of Gen Xers and 8 percent of Baby Boomers, according to the report. This could be as savvy as jail-breaking a device or as simple as downloading an unapproved app or adding their own VPN to access blocked sites. “IT usually sets standards for how apps should be used. Often they will be bypassing set security parameters defined by the organization” and putting the company at risk, Midgley says.
At German medical device manufacturer Karl Storz Endoskope in El Segundo, Calif., David O’Brien sees these types of infractions all the time.
“We’ve noticed that Millennials blur the lines between work and home” when it comes to mobile devices, says O’Brien, director of enterprise technology. “They install things on their laptops, mobile devices and [tablets].” The company manages about 2,200 employer-issued mobile devices, and “a good portion of them” are used by Millennials, he says.
O’Brien tries to combat the abuse through policies – “not just ‘this is what thou shall and shall not do’ – but they want to know why we’re doing it,” he explains. “We’ve found that if we’re very forthcoming with them, they get it. They still want to do it, of course. They still take their Surface tablet home and research the car they want to buy – but at least they understand what we’re doing.”
3. Millennials access more ‘Not Safe For Work’ content.
When it comes to social media sites where malware and phishing scams lurk, gaming sites, online shopping or video streaming, more than a quarter of Millennials access this not-safe-for-work content on company devices, compared with 15 percent of Gen Xers and 5 percent of Boomers, according to the survey.
A study by IBM, however, points to Gen X workers as the biggest NSFW offenders over all other groups. IBM found that Gen Xers are more likely to use their personal social media accounts regularly but for professional reasons -- to communicate, access information and market or sell their organization’s offerings, according to the study.
4. A quarter of Millennials believe they compromise IT security – but do little about it.
Younger respondents more often admit to compromising company security while using their devices than other age groups. “They assume IT is taking care of [data security] so they don’t have to worry about it,” Midgley says. “They believe they have no responsibility when they take devices that contain or have access to the corporate data outside” of the office walls – a tough position for IT managers, he adds. “The onus has to be on the employee to take the right security measures.”
5. Half of all workers believe that data security is not their responsibility.
The lack of ownership and lack of concern about security will probably get worse as Millennials move up into leadership roles and become a larger part of the workforce, Midgley says. “Companies need to get their act together and adopt new policies around this changing demographic,” he adds.
Reigning in mobile devices
Security leaders agree that employees must be trained regularly on data and mobile security practices. Employees also need to know what to do if a device gets lost or stolen.
O’Brien suggests building policies that address different types of employee behavior, but choosing your battles.
“I find that if I just give people a little bit [leeway], then generally I get more acceptance of our larger policies,” O’Brien says.“We have relaxed some of our controls a little bit. We’re not going to crack down on simple things like if they want to map their own drives or have wallpaper or screensavers.”
Software goes hand-in-hand with policies, Midgley says. IT departments need constant visibility over all devices on or off the network. They should also apply a layered approach to data security with encryption, remote endpoint security capabilities and anti-malware. O’Brien says mobile device management software is the cornerstone of his company’s mobile security strategy.
Going forward, “It will be interesting to see in next five to 10 years how [Millennials] shape up,” O’Brien says. “As they mature in their roles, maybe they will see things differently, they’ll learn through experiences and understand why” these mobile data security measures are necessary.
This story, "5 reasons why newer hires are the company’s biggest data security risk" was originally published by CSO.