Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

IT Security's Next Big Threat: Young People

Generation Y user behavior could endanger security of enteprise systems, studies say

First, it was viruses. Then it was financially motivated hackers, followed by insider threats. And the next big danger? People who can't remember the Bee Gees.

During the past two weeks, IT security managers have been getting a new warning that turns the old '60s hippie slogan -- "Never trust anyone over 30" -- upside down. The new message: Twenty-somethings are putting the corporate network at risk.

Since Nov. 5, three separate studies -- from Accenture, Intel, and ISACA, a major IT users group -- have indicted the youngest generation of employees as one of the enterprise's newest and most serious security risks. People under the age of 28 -- sometimes called Generation Y and sometimes called Millenials, depending on how you define the category -- are engaging in online behavior that could expose their organizations to data leakage and information theft, the studies say.

The Accenture study, published two weeks ago, queried more than 400 students and employees ranging from age 14 to age 27. It found that more than half (60 percent) of young people "are either unaware of their companies' IT policies or are not inclined to follow them."

"When asked which technologies they currently use or access for work-related activities that are not supported by their employers, mid-Millennials [respondents aged 18 to 22] cited mobile phones (39 percent), open source technology (19 percent), instant messaging (27 percent), online applications (12 percent), and social networking sites (28 percent)," Accenture says. "Similarly, they regularly download non-standard technology from free public Web sites such as open source communities, 'mashup' and 'widget' providers."

"The message from Millennials is clear: To lure them into the workplace, prospective employers must provide state-of-the-art technologies," says Gary Curtis, managing director of Accenture Technology Consulting. "And if their employers don't support their preferred technologies, Millennials will acquire and use them anyway. In order to acquire and retain the best talent, organizations must understand the technologies that the new workforce expects -- and then find a way to support their employees without compromising enterprise security."

In a study published Nov. 13, Intel and the research firm of Penn Schoen & Berland Associates offered similar conclusions. The survey of IT professionals indicates that while younger employees are having a positive impact on the enterprise and its use of cutting-edge technology, they also create a new security risk. About half of the respondents regard Generation Y as a serious security concern, according to the study.

Younger employees' propensity to download non-sanctioned applications and social media tools was one of the chief reasons cited for IT professionals' concern. Risks posed by social networking sites such as Facebook and MySpace were the most frequently mentioned, according to the study.

Interestingly, the Intel study suggests that many IT organizations are changing their behavior to accommodate the younger employees, rather than the other way around. Nearly 30 percent of the IT pros surveyed said they have changed their IT policies to meet the demands of Gen Y, allowing employees to access their work e-mail from noncompany smartphones or other devices and, in some cases, relaxing their rules surrounding the use of social networking sites.

Some respondents to the Intel survey said they believe that tools for controlling or blocking access to certain applications or sites might be effective in controlling the Gen Y problem. Others said they will look toward tools that monitor employees' online activity and flag risky behavior.

In a study published last week, IT professional association ISACA focused its attention on online shopping at work, which is a common IT concern as enterprises approach the holidays. The study, which surveyed 973 consumers and more than 3,100 IT professionals, indicates that 63 percent of employees plan to shop online from their workplace computers. Like the other researchers, ISACA found that the greatest danger from online shopping behavior comes from Millenials -- those in the 18 to 24 age bracket. Forty percent of Millenials in the survey said they will spend up to five hours doing online shopping from their desks this holiday season. Ironically, this group is the least concerned about the security of their work PCs; almost half said they pay more attention to the security of their home machine than to the security of their office machine.

"This survey clearly shows that younger employees are more likely to engage in online activities at work that put a business' IT infrastructure at risk," said Kent Anderson, a member of ISACA's Security Management Committee. "The fact that [they] are planning to spend the equivalent of more than half a work day doing holiday shopping from their work computer, combined with their lack of concern for how secure their computer is, points to an urgent need for employee education."

When end users give their workplace e-mail address to an online retailer, they can leave the enterprise network open to a variety of threats, ISACA observed. "Yet more than two in 10 (22 percent) respondents have clicked on an e-mail link to go to a retailer's Web site from their workplace computer, and used their company e-mail address as the contact for a purchase," the study says. "In addition, one in four (26 percent) respondents either does not check -- or is unsure how to check -- the security of a site before making a purchase."

In a parallel survey of IT professionals, ISACA found that nearly half (46 percent) believe that their companies will lose an average of $3,000 or more in productivity per employee from online holiday shopping at work. More than half (55 percent) also reported that their company permits workers to shop online, but has no strategy for educating them about the risks.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29370
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.
CVE-2021-3471
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.