How security smart is Generation Y?

Some experts call Millennials, or Generation Y, the 'new threat vector.' But others say the weakest link in the enterprise is people of any age group

The generation gap has existed for —well — generations. But the current divide between twentysomethings and their elders in the IT workforce, at least according to some experts, goes beyond the older cohort simply shaking their heads and muttering, "Kids these days." There is, they say, a security divide.

Andrew Avanessian, vice president of Global Professional Services at Avecto, writing for USA Today's CyberTruth, called Millennials, also labeled Generation Y, "a new attack vector that is emanating from the inside."

Avanessian cited a Cisco's 2013 Annual Security Report that said while Gen Y workers bring enormous IT expertise and technical understanding to their jobs, they also tend to ignore IT policies, demand freedom of access, shrug off a lack of privacy and are used to mixing their personal and professional lives, all of which can lead to cyber intrusions.

As Cisco put it, "Security risks rise in businesses because many employees adopt 'my way' work lifestyles in which their devices, work and online behavior mix with their personal lives virtually anywhere — in the office, at home and everywhere in between."

[Related: Does your generation pose a security risk?]

Christopher Ellingwood, writing at Berry Dunn, cited a survey by RSA, Inc. that found that more than 70 percent of Generation Y workers, "admitted to conducting 'risky' behavior over the Internet such as posting too much personal and company information on social media sites."

"This generation, also known as the 'click-through' generation, expects information to be readily available and will download content, visit websites, and offer personal information in order to obtain information they seek. Many sites that are visited and files that are downloaded require an acceptance of the terms and conditions which the Generation Y user is highly likely to accept without reading," Ellingwood wrote.

It is not, for the most part, because workers are visiting shady sites. Cisco found that, "the highest concentration of online security threats do not target pornography, pharmaceutical or gambling sites as much as they do legitimate destinations visited by mass audiences, such as major search engines, retail sites and social media outlets."

Regarding privacy, Cisco found that, "most Generation Y employees believe the age of privacy is over (91 percent) & (and) are willing to sacrifice personal information for socialization online."

"In fact, more Generation Y workers globally said they feel more comfortable sharing personal information with retail sites than with their own employers' IT departments — departments that are paid to protect employee identities and devices."

Avanessian said in many cases those workers need added privileges to do their jobs.

"Restrictive policies that only allow them to do A, B and C actually hinder their workflow, slowing them down and potentially costing the organization in terms of efficiency and resources," he wrote, but added that the "inherent danger" is that even application controls don't stop those workers from opening up the system.

"When you couple administrative rights with the skills and expertise of today's savvy employees, antivirus and application controls can be disabled in seconds," he wrote.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, said direct observation shows that, "Millennials are more likely to open the door to security threats in corporate environments. Since they are basically more interconnected than other demographic categories, they tend to expose more information about themselves."

[Slideshow: 9 tips, tricks and must-haves for security awareness programs]

Not everybody agrees. Guy Helmer, assistant vice president of data loss prevention at Absolute Software, said he doesn't think any specific generation is a new attack vector.

"As technology is embraced by all generations, it is natural for tech-savvy employees to want to have the same network and app access at work as at home," he said. "Gen Y employees are continuing the democratization of the data that started 30 years ago in the days of the personal computer."

Kevin Bocek, vice president of product marketing at Venafi, agrees that "Gen Y trusts technology to an extent that other generations have not — their rush to use social media and anything mobile are just some examples of trusting and embracing technology."

But, he says, they are simply the newest part of the most common attack vector.

"People have been known by cybercriminals to be the weakest link, and spawned the use of phishing, spear phishing, water hole attacks and more for years."

Mike Tierney, vice president of operations at SpectorSoft, agreed.

"Access and availability have always been at odds with security and privacy," he said.

Still, even some in the Gen Y age range acknowledge that the problem is at a new level with their age group. Reem Ateyeh, an account executive at HORN, is one.

Ateyeh said the "new attack vector" label is, "absolutely fair. Many Gen Y employees are tech-savvy, but not as security savvy as they ought to be. Often times, we do not realize the risk that our online activities can pose for our employers," she said, adding that even though she has become very security conscious through her work with IT professionals, "it is difficult to be cautious simply due to the vast number of tools available to share data and information."

But, she adds that older generations may become more of a risk factor as they also become more socially connected.

"Whether or not Gen Xers are more security-savvy is an unknown, but they are by no means in the clear when it comes to enterprise security," she said.

What should enterprises do about it? While education about security is important for employees of every age, most experts say this is not something that companies can "train" their way out of. It is also not something the Gen Y cohort will outgrow.

"This is not a phase that a generation will grow out of," said Kevin Bocek. "This is an evolution in the way business is architected and run. Gartner refers to this change brought on in part by Gen Y and by social, mobile, and cloud as 'The Nexus of Forces.' These are unstoppable forces that are changing IT forever."

Guy Helmer's advice is to work with it, rather than try to stop it.

"In many instances, security incidents have occurred because tech-savvy employees find a work-around that will enable them to do their work," he said. "A good example is an employee using a cloud-based service like DropBox to share large files that are difficult to email or access on the network remotely. IT needs to approach the situation as an enabler, not an enforcer."

SpectorSoft's Mike Tierney said companies need to, "establish what is, and isn't, acceptable when it comes to data security," and communicate that clearly to their employees.

"There's an adage I read a few weeks back that puts it in context: 'What you allow, will continue,'" he said.

That, he said, leads to two options: "One is to lock it down —companies will have to choose security over productivity and keep employees actions within the confines of security policy. The other is to allow a more open environment, but only on devices where the company can monitor usage and be notified when someone goes outside the boundaries of what's acceptable," he said.

"In either case, the onus is on the company to do all the work," he added.

Kyrk Storer, an account supervisor at HORN and also part of Gen Y, said clarity from employers would help. Since technology is an everyday thing and security risks "rarely cross our mind," it would help to have, "clear explanation on the part of the employer when we start our careers," about security policy.

Mike Denning, senior vice president and general manager of the Security business at CA Technologies, says being tech-savvy can be a security asset.

"From growing up in a world full of cyber-security risks, they often have a better intuitive sense of which actions are risky and which are not. For them, it has become second nature to not open email attachments from untrusted sources or to download risky applications."

But, he adds, "BYOD — the blending of work and personal on the same device, and being active on social networks — is a way of life. You don't grow out of it, nor should you, but you do need to protect and manage and operate smartly.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)