Five Steps to Rein in the Millennial Security Risk

In a recent article, we posed a simple question: “Are Millennials Putting Your Company at Risk?” Survey after survey says the answer is yes: Millennials (ages 18–34), who comprise about one-third of the U.S. workforce, expose organizations to more security risks than any other generation.

So what can security professionals do to address this growing concern? We spoke with two noted security experts to develop this list of five steps to help you rein in the millennial security risk.

Webinar: Criminal Access to Healthcare Information: What Can Be Done To Better Protect PHI?

Step #1: Recognize the Risk

Millennials are our first “digital natives.” They grew up with technology always at hand and have developed into the most tech-savvy generation ever to enter the workforce. You might therefore assume that millennials share the same awareness as other generations about the need to follow corporate security policies and take basic digital security measures such as changing passwords.

Don’t make that assumption.

Just because millennials have been using technology their whole lives does not mean they’ve been using it safely. Liz Fraumann, the director of Cyber Security Awareness and Education at ESET, a software security provider, notes that schools and parents often provide digital devices to young people without teaching them how or why to protect them.

“We give young people devices, and they explore and play and enjoy the wonderful side of technology,” says Fraumann. “But that may only encourage them to take risks, if they are not also made aware of the very real security issues.”

The lack of early education on digital security may be one reason, as Fraumann says, “Common sense isn’t common sense anymore.” In other words, organizations can’t assume that young workers will know why workplace controls are necessary and the damage that could be done if they are not followed.

Step #2: Invest in Education and Training

Once you accept that your tech-savvy millennial employees may be decidedly un-savvy about the need for digital security, the obvious next step is to educate them. David Childers, US/CIPP, a former board member of the Society of Corporate Compliance and Ethics (SCCE), emphasizes that you must educate millennials on the “why” of digital security measures as well as the “what.”

“If you aren’t conveying that because your company works with sensitive information it is critical to secure your data, and instead you’re assuming that millennials will have an innate respect for industry and an innate respect for information privacy—let me assure you, you’re making a mistake,” says Childers.

In fact, Childers says organizations need to recognize the need for not just isolated educational efforts but a much more profound cultural shift. Millennials, he says, don’t understand the need for workplace security measures, don’t recognize the risk, and don’t believe that they are part of the problem. Education and training must be ongoing and address all those areas to engender the cultural shift he believes is necessary.

Step #3: Meet Millennials Halfway

There is no shortage of research available on the millennial generation’s needs, preferences, and motivations, and some of that information could be helpful as you develop policies and training efforts that target this generation of workers.

For instance, one survey of millennials found that 61 percent believe operational structures and procedures are one of the biggest barriers to innovation. Little wonder, then, that 56 percent are “very” or “moderately likely” to evade restrictive workplace controls—they likely see security controls as part of a bureaucracy that gets in the way of productivity.

Once you understand the motivations and needs of your millennial employees, you can invest in measures that meet them halfway. For instance, millennials are known for their shorter attention spans and preference for online communications, so you may want to create a YouTube-like channel with short video trainings related to your security policies.

“Millennials want the CliffsNotes version. Policies need to be very short, directed, and clear, with details available as needed,” says Childers. “They will make pretty good decisions if you give them the information in bite-sized pieces, but if you write a clunky policy with no real-world examples in support, you won’t reach them.”

Since millennials are known to subvert IT policies in the name of expediency, also look for ways to streamline communication with IT. When a client sends your employee an application to download, can the employee quickly contact IT and find out if the app is safe to download? If not, the employee may ignore your policy in the name of expediency.

Step #4: Test for Compliance

Fraumann was recently among over 30 people selected to take part in the FBI Citizen’s Academy, which teaches community leaders about the FBI’s work. The topics covered included issues related to cybersecurity—and yet, when the FBI sent a phishing scam to participants’ email addresses, every student except two (including Fraumann) fell for the scam.

The lesson is that it’s not just millennials who have to be educated and reminded repeatedly about the security risks related to their online behavior. It is easy for any employee to click on a dubious email, download a file or application without thinking, or connect to an unsecured Wi-Fi network.

To keep employees on their toes, many organizations are now testing their employees in much the same way the FBI tested participants in its academy. You can phish your employees through an internal effort or by hiring outside security consultants. Either way, the goal is to find out which employees are following policy and which ones need further training.

Step #5: Hold Millennials Accountable

Let’s say you recognize the risk posed by millennials’ lax behaviors around digital security. You invest in education and training, and you make sure your security efforts are geared toward the unique motivations and learning processes of millennials. Maybe you test all your employees as well, providing feedback and reminders about desired behaviors.

What else can you do? Childers emphasizes that about 12 percent of employees have always been “bad actors.” He says, “I bet that hasn’t changed in eight generations. A certain percentage of employees will always subvert your policies and procedures.”

For those employees and others who are not following workplace policies, you must hold them accountable. That’s important for all employees, but perhaps more so for millennials. “Millennials are known as the ‘me’ generation,” says Fraumann. “They want immediate gratification, and sometimes they don’t seem to care about the company or its reputation. When that’s the case, organizations are left with no choice but to take corrective actions.”

Those corrective actions may include further education and training or removal of credentials. Ultimately, you may need to dismiss some employees who are unable to follow your corporate security policies—no matter their age.

Webinar: Criminal Access to Healthcare Information: What Can Be Done To Better Protect PHI?