September 2023

Mitigating the insider threat from digital natives

It’s often said that employees can be the weakest link in the corporate cybersecurity chain. What’s less frequently discussed is whether specific employee types represent a bigger insider threat than others. This could have a major impact on the bottom line. Insider threats cost global organizations an average of over $15 million to remediate last year, according to one estimate.

According to a new EY study, it is the younger generation of workers that takes cybersecurity less seriously. Finding a way to change behavior and encourage a more informed, responsible approach among digital natives will be tough for IT leaders. But it can be done.

Mitigating the insider threat from digital natives

 

What EY found

The study is based on a survey of 1,000 U.S. employees about their security awareness and practices. Those described as “Gen Z” or “millennials” (Gen Y) do not come across in a good light. Specifically, it reveals that:

  • Around half of Gen Z (48%) respondents and two-fifths (39%) of millennials admit to taking personal device security more seriously than protecting their work devices
  • Gen Z (58%) and Gen Y (42%) are more likely to disregard mandatory IT updates for as long as possible than Gen X (31%) and baby boomers (15%)
  • Gen Z (30%) and Gen Y (31%) are more likely to use the same password for a professional and a personal account than Gen X (22%) and baby boomers (15%)

At first glance, the findings would appear to be counter intuitive. After all, if digital natives are more tech savvy, surely they better understand cyber risk and are motivated to follow security best practices? The study does not attempt to answer why this is not the case. It reveals that the vast  majority (83%) of surveyed employees understand their employer's cybersecurity protocols. So it appears that younger workers are deliberately choosing not to follow them.

A new era of hybrid working risk

This will be an increasing challenge for IT and security leaders as more Gen Z-ers make their way into the workforce. They’re predicted to account for over a quarter (27%) of workers by 2025. Could it be that, as the first generation to grow up with no knowledge of a world without the internet, they’re more nonchalant about the potential impact of risky behavior?

This increasingly matters in a hybrid working environment, where:

  • There is more freedom to take risks. One 2021 study found large numbers of home workers use corporate laptops for personal use, such as playing games, online shopping, and internet downloads
  • Remote employees may be more distracted and therefore error prone, which could lead to accidental clicks on phishing emails
  • Personal devices and home networks may not be as well protected as corporate equivalents

Start with training

In this context, corporate cybersecurity must be designed around people. That means controls to protect critical data and systems in case users make mistakes — such as encryption, multifactor authentication, and data loss prevention. And more assertively enforced policies around patching and remote device management, to reduce the attack surface across what is now a far more distributed IT environment. But it also means revisiting and updating user awareness training programs.

Consider the following when evaluating this crucial part of any corporate cybersecurity strategy:

  • Find the right tools: Training solutions should offer highly customizable real-life simulations that can be tweaked as phishing tactics evolve. And they should deliver detailed metrics on user behavior, which can be used to feed back to employees and adapt the training approach.
  • Keep lessons short and sweet: Better to run regular impactful sessions of 10-15 minutes than bore users with infrequent, overly long lessons.
  • Leave nobody out: Everyone is a potential threat vector, from the boardroom down to part-timers and contractors. All should be included in training and awareness programs.
  • Focus on culture: Improving awareness of threats is one thing, changing behavior to encourage reporting of incidents is another. EY found that 16% of respondents would rather try to handle a possible security breach on their own than report it. Staff need to feel that they won’t be judged for “over-reporting.”
  • Consider expanding programs: With the lines between working and personal life increasingly blurred today, there’s a growing need to adapt training and awareness to cover both. Consider each employee’s home as a micro-satellite office.
  • No two workers are the same: It may be worth considering working with HR to profile users into distinct groups based on behavior and roles. Then training programs can be made more personal and relevant.

Despite the eye-catching headlines, user security awareness is not just a challenge for Gen Z/Y-ers. Across the board, EY found half or fewer respondents are “very confident” about using strong passwords, keeping work devices up to date, identifying phishing attempts, and other best practices. Only by focusing on people, process and technology can IT and security leaders better manage insider risk.

 

By  Phil Muncaster

This article originally appeared on Journey Notes, the Barracuda blog.

Link to the original post

Back