Are Millennials Putting Your Company at Risk?

Here are a few things we think we know about the millennial generation:

• They are young: 18–34 years old in 2015.
• They are outnumbered by baby boomers.
• They are highly tech-savvy, which makes them less of a security threat to businesses.

The problem is that only the first of those three common assumptions is true. This year, millennials will pass baby boomers to become the single largest generation in the workforce. That’s why it is so vital to understand their security habits—and lack thereof.

Consider these findings from a 2015 online survey by Software Advice of 529 business employees:

• Millennials re-use passwords more than other demographics—85 percent admit to re-using credentials across sites and services.
• Sixteen percent of millennials accept social media invites from strangers “most of the time.”
• Forty percent of millennials use personal devices to access work files.
• Fifty-six percent of millennials admit that they are “very” or “moderately likely” to evade restrictive workplace controls.

Another frightening survey by TrackIT found that 60 percent of millennials “aren’t concerned about corporate security when they use personal apps instead of corporate-approved apps.”

And yet another study last year by the National Cyber Security Alliance and Raytheon found that 52 percent of the 1,000 people (ages 18­–26) surveyed had plugged in a USB device given to them by someone else. And that is despite the fact that 60 percent reported having suffered an online violation such as identity theft within the prior 12 months.

Why Aren’t Millennials Being More Careful?

It is true that millennials as a whole are more tech-savvy than older generations. So why don’t they know better than to put themselves and their companies at risk?

The problem does not seem to be a lack of awareness of the need for digital security. Kelly Merrick, a 29-year-old communications manager in Portland, Ore., says she reads the headlines about major data breaches and worries about the issue—it just hasn’t changed her personal habits. “I’m aware and concerned about data breaches,” she says, “but I know I’m not nearly as diligent as I should be.”

David Childers, a former board member of the Society of Corporate Compliance and Ethics (SCCE) and Certified Information Privacy Professional (CIPP), thinks the problem likely stems from the comfort level millennials have with technology. “Millennials have grown up in the Facebook era. They are very accustomed to sharing information, and unfortunately, they don’t always see an unguarded Internet as a problem.”

Another millennial, 26-year-old mechanical engineer Katie MacKenzie, says she is fully aware of the risks and potential harm of data breaches. The problem, she says, is that the pace of business today doesn’t allow for strict adherence to workplace controls.

MacKenzie’s clients sometimes use browsers, apps, and email systems that her IT department disapproves of. That puts employees like her in a difficult position. “Our clients have their own means and methods of communicating, and they expect us to jump over to whatever they’re using. It may not be the best practice from IT’s perspective, but we can’t afford to slow down.”

When she has to download software onto her work device, MacKenzie says, “Ideally I would spend time looking at third-party or peer reviews, but in reality sometimes there isn’t enough time to do that. If the software is from a vendor we work with, I assume we can probably trust them.”

Of course, that’s not what IT wants to hear—a fact MacKenzie understands. “IT ends up cleaning up our mess, which I know they hate, but that’s how fast-paced jobs are,” she says. “I’m not saying that’s a good thing. I know that they have a challenging job, and I know I’m one of the people who makes it more challenging.”

What can businesses do?

Whatever the sources of the problem, it’s clear that to stay secure, businesses must find a way to connect with millennials and create security policies they can and will follow.

Continuing to educate millennials about security risks and workplace policies remains a good idea, especially if the education addresses the practical issues millennials face in their day-to-day work.

Childers notes that training efforts should be tailored to millennials’ preferences and habits. “They would rather pull their eyes out of their heads than watch an hour-long training, so companies need to get smart and create shorter vignettes that are available online and on-demand,” he says.

Some companies are also investing in the types of collaboration and productivity apps millennials want to use, so they will reduce their reliance on personal and third-party apps.

In sum, the best solutions will likely involve finding ways to work with millennials instead of against them—after all, they are now in the majority.