It’s Time for Managers to Lead Security by Example, Not Blame Younger Workers

July 2, 2018

The age gap is something that all organisations over the years have had to deal with in one way or another. But the flood of consumer-grade technologies into the workplace in recent years has arguably widened that gap even further.

To learn more, Centrify recently polled not only 1,000 UK office workers aged 18-24 but also 500 senior decision makers. We found that the next-generation workforce is unfairly blamed for a range of perceived security issues, when in fact managers are the worst offenders.

To enable newer, more flexible and agile ways of working demanded by younger employees, organisations must work much harder to close the generation gap, and look to Zero Trust Security as a key component.

Insider risk

We should all know by now the dangers posed by careless insiders. According to Verizon, 28% of breaches it analysed last year were caused by employees, with user error a factor in 17%. Phishing in particular was present in 93% of breaches. What’s more, four out of the top five incident types reported to UK privacy watchdog the ICO in the last quarter stemmed from human error.

Security risks linked to employees can lead to serious breaches, potentially resulting in regulatory fines, remediation and clean-up costs, large legal bills and reputational damage — which can in turn cause a dive in share price and customer attrition. Managers must better understand the risks if they are to mitigate them effectively.

The security blame game

Unfortunately, there’s a serious perception problem when it comes to decision makers’ understanding of the security risk posed by next-gen workers. They believe younger employees are too relaxed about security, share data too easily (including passwords), trust technology too much, and represent a risk to the corporate brand via their activity on social media. Over one-third of decision makers (35%) believe that younger employees are mostly to blame for workplace data breaches, and 44% think they misuse technology.

The Centrify survey found that the truth is far different. Managers are often as likely, if not more so, to engage in risky practices. While 15% of next-gen workers admitted sharing passwords with colleagues, 16% of managers said that they do the same.

In addition, around twice as many managers as younger employees have:

  • clicked on a suspicious link
  • removed information from the company
  • logged onto a risky website

Policy and control fail

The bottom line is that decision makers are failing to lead by example on security. What’s more, they’re also failing to put effective policies and controls in place to manage security risk.

A fifth of those we spoke to fail to provide clear guidelines to staff. Of those that do, enforcement is failing: a quarter of younger workers are not following guidelines strictly enough, leaving their organisation vulnerable. Many policies have also failed to keep up-to-date with newer aspects of the threat landscape such as the dark web, social media and hacking forums.

Ultimately policies are only worth the paper they’re written on if backed up with effective controls. Yet a third of younger employees can access any files on the corporate network, and only two-fifths (43%) are restricted to accessing only data relevant to their roles.

What happens next?

So what do we need to see happen to close this generational gap and improve corporate security? There needs to be more of an effort on both sides to understand the concerns highlighted in this report, but ultimately the example-setting must come from those in decision-making roles. Only 12% of those we spoke to even regard senior managers as the main cause of security issues.

Next-generation workers are not blameless: they can fail to take responsibility for their roles in the bigger picture of corporate security and data protection. That makes effective user education programmes a must. Major corporate breach incidents — such as the recent incident at Dixons Carphone — can provide an excellent and timely starting point for any exercise, helping to remind users of the real-world consequences of their actions.

But perhaps most importantly, managers should look to adopt Zero Trust Security. Despite the name, this doesn’t mean distrusting those younger employees even more. Instead, it’s an enabler for the modern, flexible ways of working that the next generation are demanding. It means verifying the user each time, validating their device, limiting access and privilege and then using machine learning to adapt over time and keep log-ins as friction-free as possible.

Zero Trust Security is the way forward for the modern, digital-first organisation — an organisation that in just a few years will be run by the current “next generation” of employees.

To read the complete report, download “Security, Privacy and the Next-Generation Workforce” here:

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.