by Dan Cook
If the IT department suspects the rest of the company harbors rogue app downloaders, it should look for the perps among staff millennials first.
That’s what a survey of 1,500 North American workers by IT solutions provider Softchoice might suggest. The survey queried workers on cloud security related issues and found that millennials are far more likely than the elders on the job to go behind IT’s back to download apps—often unauthorized ones.
Online security is a red-hot topic these days as more services move to the cloud. The cloud’s many advantages—unlimited storage, easy access from anywhere, seamless and non-disruptive upgrades—have made its evolution rapid and its dominance inevitable.
But security experts, including Bhushan Gupta, an invited speaker at PNSQC 2016, warn that the mass movement to the cloud has placed many companies’ data at risk. And bad behavior by employees, whether intentional or not, is responsible for a high percentage of security breaches.
The survey’s title may not say it all, but it says a lot: (Still) Careless Users in the Cloud. Despite the volumes that have been written, blogged, YouTubed and publicly spoken about the perils of cloud security, many workers simply believe “It won’t happen to me.”
For instance, when asked if they’ve ever downloaded an app at work without letting IT know, 31 percent of millennials boldly revealed that they had. That’s compared to 22 percent of baby boomers. When asked if they’d intentionally downloaded an unauthorized app despite the existence of an ITY approved one, 23 percent of millennials said they had, compared to 13 percent of boomers.
Despite the cybersecurity risks involved, 1 in 5 employees said they have:
- Kept their passwords in plain sight,
- Accessed work files from a non-password-protected device,
- Lost devices that weren’t password-protected.
It isn’t out of disrespect for IT, the survey also found, since 71 percent said IT works proactively to understand employees’ needs at work. Asked if they get the support they truly need from IT, two-thirds agreed they did.
What’s the answer? A combination of scolding, education, and vigilance, Softchoice advised.
“Employees display a wide range of bad habits, from lax password security to rogue IT behavior. If something doesn’t change, organizations will be placed in an extremely vulnerable position,” David MacDonald, Softchoice President, and CEO, said. “Risky behavior and data vulnerabilities are almost guaranteed to persist if organizations don’t provide training and direction on cybersecurity best practices for the apps, platforms and IT tools employees use on a daily basis.”
Circling back to our invited speaker, Gupta, he says data thieves are well aware that it’s often easier to hack a person than a computer.
“Social engineering (an act of exploiting people instead of computers) is one of the most dangerous tools in the hacker’s toolkit to breach internet security,” he says in his description of his upcoming presentation, Social Engineering – How to Avoid Being a Victim. “The Ubiquiti Networks fell victim to a $39.1 million fraud as one of its staff members was hit by a fraudulent ‘Business Email Compromise’ attack. Thousands of grandmas and grandpas are victims of phishing emails and are forced to pay ransom to have their data released.”
Have you experienced a data breach caused by a lapse in knowledge or judgment by an employee? Share your experiences with us in October at PNSQC 2016—or right here, in the comments section of this blog.
My first thought is that these aren’t random samplings, it makes me wonder if this could be a youth vs. experience issue rather than a millennial vs. boomer issue. W
hen you ask if they’ve (ever?) downloaded an app, you are comparing maybe 5-10 years of time for a millennial against 30-50 years of time for the boomers. Further complicated by the confusion over what might constitute an app in the 80s or 90s.
The second thing I wonder about is what kind of apps are they? I’ve been places where we had to hide downloads from IT just to get tools needed to do our jobs. Are we talking about work tools or about games?
From a security point of view, the answers to some of these questions may not matter. But it might suggest different solutions. Do we need to focus more on working with people to be careful and work closer with IT or do we need to find easier ways to check software and allow people to download tools. In an engineering environment, we sometimes want people to explore technologies which usually means downloading something IT isn’t aware of. So maybe we just need to find a way to allow access to tools and still ensure it is as safe as possible.