Millennials, also known as Generation Y (after Gen X) and Generation C (for Connected), should perhaps be called Generation Leaky, at least according to some experts.
Various surveys have found that workers born between the early 1980s and early 2000s are much more concerned with productivity and convenience than security, to the point where they will ignore IT directives or work around what Adweek blogger Kimberlee Morrison called called, “clunky security mandates.”
That is also the view of security executive Chris Rouland, who declared in a recent Dark Reading post that Milliennials, “have no interest in protecting their data.
“They will pay double for organic bread,” he wrote, “… but they place seemingly no value on the integrity and security of their personal identifiable information, let alone the consequences a hack could have on their friends, families, colleagues and employers.”
He noted that the recent breaches of Yik Yak and Snapchat didn’t reduce the use of those apps. “Leaked personal photos and private information seem to not just be tolerable in this demographic, but almost expected,” he wrote.
Indeed, CSO recently reported that studies have found that some workers put more importance on sharing information about themselves than in making more money.
The security implications of such attitudes could be large. Ages 22-24 are the top three in population in the U.S. And with Boomers and Gen Xers moving toward retirement, Millennials are about to become the largest generation in the workforce.
If they really don’t care about security, it would seem they will be creating an expanded threat landscape that will be a hacker’s dream and an organization’s nightmare.
And some experts argue that it is indeed that bad, for a number of reasons:
Need for speed
Andrew Avanessian, executive vice president of consultancy and technology solutions at Avecto notes that, “Millennials are the most connected generation in history, and with that comes this new mentality where everything should be instant – information and communication at the click of a button.”
If security protocols interfere with that, they’ll go with speed and convenience. “The likely result is that they’ll bypass those settings completely, or turn to another, unsecure, platform that doesn’t have those perceived barriers,” he said.
The personal/professional merge
“Millennials link everything from financial accounts to very personal information from social media apps everywhere, on every device,” said Tom Bain, vice president of Security Strategy at CounterTack. “Sixty percent of all mobile attacks are capable of stealing money from Millennials,” he said, noting that mobile attacks globally are growing by a factor of 10 every quarter.
“So the more data that is available, mostly on mobile apps and devices, the better the opportunity for hackers to hack individuals and ride those coattails into corporate networks freely.”
Avanessian added that today’s digital workers like applications that are, “sleek, intuitive, and have the same look and feel as products they're already familiar with. This is why we see many employees using platforms such as Dropbox or Skype for business purposes. But these kinds of applications were largely designed with the consumer in mind – not for the business professional who might be handling sensitive content.”
That extends to devices, according to Raj Dodhiawala, senior vice president and general manager at Mantech Cyber Solutions International. “I know Millennials who want to use their personal devices at work because they are more powerful and capable than standard issue desktops,” he said.
Ignorance isn’t bliss
Dominique Singer, principal of Security Solutions Architecture at Hexis Cyber Solutions, contends that Millennials are poor at security not because they don’t care, but because they don’t know enough to care.
“They have grown up in a world of ‘data everywhere’ and ‘information everywhere,’” he said, “and have been conditioned to expect easy access to any kind of data, especially social media. They haven’t been conditioned, or even slightly educated, on the importance of protecting their data.”
Dodhiawala added that while Millennials do care about protecting their data, “they just don’t have a good sense for what constitutes private, personal or sensitive data.
“Putting their date of birth on Facebook is considered routine, for example,” he said. “Intuitively, they share first, and protect minimally.”
A matter of trust
Millennials tend to trust technology more than they should, according to Bain. “They just have implicit trust in apps, carriers and the devices they use, that anything they do or say is protected. They are 99% blind to the growing threatscape,” he said.
Pushing for privileges
Along with the expectation of instant communication comes the expectation of easy access. Avanessian said Millennials have grown up in an online world where access was always easy and immediate, and bring those expectations to the workplace, in the form of demands for elevated privileges.
“We conducted a survey a couple years ago that found that male employees between the ages of 25 to 35 years old were most likely to demand elevated rights,” he said.
And while that may improve productivity, “the problem is that it gives users the ability to make system tweaks or unauthorized application downloads. This significantly increases the potential for malware to invade the system and open the entire corporate network up to vulnerability,” he said.
While there is little disagreement that Millennials exhibit those vulnerabilities, other experts say they are not alone – that older workers can be just as bad.
Armond Caglar, senior threat specialist at TSC Advantage, agrees that the majority of social media users, who willingly surrender their personally identifiable information (PII), are Millennials. But, he noted, millions in other age groups do so as well.
He said LinkedIn, the career networking site, tends to be used by older workers and is arguably more dangerous than Facebook or Snapchat since, “the biographic, educational and personal data that is volunteered here is way more valuable to a potential adversary than an Instagram shot of a Millennial’s brunch on a Sunday morning.”
Caglar is also among numerous experts who have pointed out that many corporate executives, “ignore the perils associated with using free Wi-Fi or willfully abandon certain security best practices when traveling internationally.”
Andrew Deacon, channel sales engineer EMEA at Hexis Cyber Solutions, also said he thinks the issue is larger than a single demographic group. “It is how technology and social media has changed the rules of society,” he said, arguing that online and face-to-face interactions are, “totally different.”
Most people would never give a stranger on the street their banking information, even if he promised to put money in their account. But online, “a lot of people would send their bank details.”
That, he said, is because, “online, we lack non-verbal communication cues that subconsciously give away a person’s true intentions. We have also been told from an early age to be wary of strangers offering you candy.”
Online, “most people share all sorts of data and nothing bad happens right? So they think it must be safe.”
And Perry Dickau, director of product management at DataGravity, said it is human nature to ignore risks that haven’t caused any damage yet.
“Many organizations still choose to be reactive to situations rather than to proactively try to prevent them, and why should they? From their perspective it’s a tedious, costly proposition with questionable yield,” he said.
Dickau and others say that blaming Millennials is not going to fix the problem – it will take an organization-wide effort.
“For data security solutions to actually work, it’s extremely important that they don’t disrupt user productivity – in fact they should promote their freedom. There are technologies out there that can achieve this,” Avanessian said.
Dickau said it will take a combination of technology and awareness training. “Fundamentally, data is exposed and vulnerable at the moment it is created, by default creating a requirement to protect and secure it whenever it is stored,” he said, adding that while training is also crucial, “it is just another piece in the overall security puzzle.
“Technology will only supplement the human element in any security, privacy, and compliance equation,” he said. “The two elements need each other to work successfully – one cannot replace the other.”
Bain does not see that happening on a broad scale anytime soon, however. “It will get worse before it gets better because organizations can’t change behavior with security policy enforcement,” he said. “Saying ‘don’t’ will just make them want to do it more, and productivity will decrease if employees aren’t able to use their social media accounts at work, or talent will go where the environment is more open.”