Jim Routh and Gary McGraw examine why twenty-somethings skateboard right past security controls, and what it means for employers (i.e. you!)
By Jim Routh and Gary McGraw
November 02, 2009 — CSO —
The insider threat, the bane of computer security and a topic of worried conversation among CSOs, is undergoing significant change. Over the years, the majority of insider threats have carried out attacks in order to line their pockets, punish their colleagues, spy for the enemy or wreak havoc from within. Today's insider threats may have something much less insidious in mind—multitasking and social networking to get their jobs done.
There's a growing risk within most organizations today that is clearly an insider threat but is also clearly not caused by a disgruntled or disillusioned employee. In fact, the new insider threat is more likely to manifest itself as a gung-ho new employee or contractor. And more often than not, the new insider threat is a recently hired twenty-something. We've coined the term "lifestyle hacker" to refer to this new cadre of insider threats. The lifestyle hacker does not have malicious intent. Nevertheless, the lifestyle hacker is highly successful at skirting various corporate controls put in place to protect security-related websites and critical endpoints. The most interesting and ironic aspect of the lifestyle hacker is that he is motivated by the pursuit of productivity, often the very same motivation driving the implementation of various corporate controls (including but not limited to Web proxies, DLP solutions, firewalls, etc.).
Tightly managed organizations (especially huge financial corporations) often block access to Web 2.0 capabilities in order to "promote productivity of staff." However, this very same staff often desires to utilize Web 2.0 capabilities (including social networking, external IM, Skype, Twitter, etc.) in the name of enhancing personal productivity. And never the twain shall meet!
This conundrum exists as the inherent conflict between those who make the rules and those who break the rules, both of whom are driven by the exact same motivation—being more productive in the work environment. There are two fascinating and problematic aspects of this situation worth mentioning:
1. The population of lifestyle hackers is growing in size and diversity as demographics of new hires shift toward those people who grew up on the Internet.
2. Neither the corporate decision makers who make the rules nor the lifestyle hackers understand the security ramifications of emerging and evolving Web 2.0 capabilities (see McGraw's article "Twitter Security" at www.informit.com/articles/article.aspx?p=1350268).
To get a handle on the growth of the lifestyle hacking problem, consider this: One Wall Street firm we're both very familiar with estimated that 45 percent of all security incidents in the past two years were lifestyle hacks. A quick look at demographics reveals what's going on. The root of the problem is that newly minted staff members being hired today were generally born in the late '80s; their managers and rule-imposers are of the Baby Boom generation (born between 1947 and 1961). Baby Boomers were brought up with television as the dominant household technology, while the Net Generation (as Don Tapscott calls them in Growing Up Digital: The Rise of the Net Generation) was exposed to the Internet as early as they can remember (and some even earlier than that). Television is a mostly passive broadcast medium. By contrast, the Internet promotes widespread collaboration. This difference engenders significant divergence in behavior for the two generations. Baby Boomers focus on a single task when under pressure, while the Net Generation prefers multitasking.