Beware the millennials: New year brings need for new security measures

By Rick Kam
12:59 PM

2016 is here: A year in which more and more millennials will be punching the employee time clock. In fact, millennials (ages 18–34) comprise about one-third of the U.S. workforce and have already surpassed Generation X to become the largest generation of American workers.

Millennials bring a lot of positives to the job, but one negative is poor security habits

An alarming survey by TrackIT found that 60 percent of millennials "aren't concerned about corporate security when they use personal apps instead of corporate-approved apps." And yet another study in 2014 by the National Cyber Security Alliance and Raytheon found that 52 percent of the 1,000 people (ages 18­26) surveyed had plugged in a USB device given to them by someone else. 

So what can security professionals do to address this growing concern? We spoke with two noted security experts to develop this list of six steps to help you rein in the millennial security risk.

Step #1: Recognize risk
Just because millennials have been using technology their whole lives does not mean they've been using it safely. Liz Fraumann, the director of Cyber Security Awareness and Education at ESET, a software security provider, notes that schools and parents often provide digital devices to young people without teaching them how or why to protect them.

"We give young people devices, and they explore and play and enjoy the wonderful side of technology," she says. "But that may only encourage them to take risks, if they are not also made aware of the very real security issues."

Step #2: Invest in education and training
David Childers, US/CIPP, a former board member of the Society of Corporate Compliance and Ethics (SCCE), emphasizes the need to educate millennials on the "why" of digital security measures as well as the "what."

In fact, Childers says organizations need to recognize the need for not just isolated educational efforts but a much more profound cultural shift. Millennials, he says, don't understand the need for workplace security measures, don't recognize the risk, and don't believe that they are part of the problem. Education and training must be ongoing and address all those areas to engender the cultural shift he believes is necessary.

Step #3: Meet millennials halfway
There is no shortage of research available on the millennial generation's needs, preferences, and motivations, and some of that information could be helpful as you develop policies and training efforts that target this generation of workers.

"Millennials want the CliffsNotes version. Policies need to be very short, directed, and clear, with details available as needed," says Childers. "They will make pretty good decisions if you give them the information in bite-sized pieces, but if you write a clunky policy with no real-world examples in support, you won't reach them."

Step #4: Test for compliance
Fraumann was recently among over 30 people selected to take part in the FBI Citizen's Academy, which teaches community leaders about the FBI's work. The topics covered included issues related to cybersecurity -- and yet, when the FBI sent a phishing scam to participants' email addresses, every student except two (including Fraumann) fell for the scam.

To keep employees on their toes, many organizations are now testing their employees in much the same way the FBI tested participants in its academy. You can phish your employees through an internal effort or by hiring outside security consultants. Either way, the goal is to find out which employees are following policy and which ones need further training.

Step #5: Hold millennials accountable
For those employees and others who are not following workplace policies, you must hold them accountable. That's important for all employees, but perhaps more so for millennials. "Millennials are known as the 'me' generation," says Fraumann. "They want immediate gratification, and sometimes they don't seem to care about the company or its reputation. When that's the case, organizations are left with no choice but to take corrective actions."

Step #6: Implement an agile incident response process
Humans -- millennials and otherwise -- remain a top security concern, as evidenced in the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, and the best way to mitigate all types of security risks is to be prepared with an agile incident response process, in which people with different areas of expertise--privacy, security, risk, compliance, etc.--work together toward clearly defined goals based on business priorities, giving brief progress reports daily and adjusting priorities based on the developing situation.

Millennials may be tech-savvy, but they're not always security-smart. Understanding the millennial mindset and training them accordingly will increase security awareness, as we head into 2016 and beyond.  

Rick Kam is president and co-founder, ID Experts and Mahmood Sher-Jan is executive vice president and general manager of the RADAR business unit at ID Experts.