Young Employees and IT Security

iStock_bus people w cell-000016828639SmallHiring young employees can bring fresh talent and innovation, giving your company an edge over your competitors. But that edge can quickly be erased, as young workers also bring additional technology risks. According to the 2011 Cisco Connected World Technology Report, a study involving almost 3,000 college students and young professionals under age 30, 70 per cent of young employees frequently ignore their company’s information technology (IT) policies.

Millennials have grown accustomed to sharing everything about their personal lives on Internet sites such as Facebook® and YouTube®. This poses a dilemma for an employer: If young employees don’t safeguard their own personal information, how can you entrust them with your company’s sensitive data? Companies with the need to be Internet-savvy must hire young talent, but are these employees worth the risk?

Eye-opening Statistics

The Cisco report says that 80 per cent of young employees either don’t know about their companies’ IT policies or they think they are outdated. Additionally, 25 per cent of those in the study had been a victim of identity theft before age 30.

Why are young employees negligent about IT security? The study found that some young employees’ attitudes and beliefs towards IT policies include the following:

  • They forget about the policies.
  • They think their bosses aren’t watching.
  • They believe the policies are inconvenient.
  • They think they don’t have time to remember the policies while they’re working.
  • They feel the need to access unauthorized programs to get their job done.
  • They believe security is the IT department’s responsibility, not their own.

Additional Risks to Consider

Young employees can compromise IT security by leaving their computers or other personal devices unattended, increasing the risk that that both the equipment and company data could be lost, stolen or misused. Sending work-related emails to personal email accounts and using computers and social networking sites for both work and personal reasons can also compromise IT security. Millennials are more apt to blur the line between using IT for both personal and work-related purposes, which can increase the risk of negligence.

Consider that not only young employees, but all employees can compromise IT security in the following ways:

  • USB flash drives. While these are convenient portable devices for storing information, they make it too easy to take sensitive information out of the office and can be misplaced easily because they are so small.
  • Wi-Fi networks. Whether it’s an employee’s personal Wi-Fi network at home or free Wi-Fi at the local coffee shop, it is important that employees use virtual private network (VPN) and take other security measures when they log in on networks outside of your company.
  • Laptop computers. Lightweight and handy for working remotely, laptops are also susceptible to viruses from improperly-secured Wi-Fi networks.
  • Smartphones. They provide information at your fingertips, but are also another portable way to take sensitive data out of the office.
  • Collaboration websites. Websites, such as a wiki or SharePoint® site, are great tools for employees working together on projects, but it’s critical that only authorized employees are logging in and accessing your company’s projects on these sites.
  • Social media tools. Sites such as Facebook and Twitter™ can benefit your business; however, negligent use, including sharing critical company information, can be a risk.
  • Other communication applications, such as peer-to-peer (P2P), Skype and instant messaging tools. These applications can be vectors for malware and a threat to information security.

Employers shouldn’t necessarily prohibit employees from using technology, as this list includes many tools they need to get the jobs done. It’s important to know the risks and educate young employees to use the technology properly.

Mitigating the Risks

Employers must find the balance between allowing young employees to use social networking websites and portable devices to do their jobs, while at the same time protecting company information. Employers should examine their exposures and consider what level of risk they are willing to accept. Other special considerations for managing young employees and mitigating the risk include:

  • Review your company’s IT policy. If it needs to be updated, ask recent graduates for advice on updating the policy to reflect current changes and trends in IT.
  • Make sure young employees (and all employees) are aware of your company’s IT policy and the consequences if the policy is not followed.
  • Create strong, trusting relationships between young employees and your IT department.
  • Create IT awareness materials so young employees are continually reminded of IT security risks and what they can to do prevent them.
  • Train new young employees on data protection and IT security risks, and provide refresher training for seasoned employees to ensure everyone is aware of the risks and the importance of safeguarding company information.

 

© Zywave, Inc. All rights reserved.

Cyber Security Budgeting for Small Businesses

Security ConceptA study conducted by Cisco, a multinational technology firm, found that small businesses were particularly vulnerable to cyber attacks—with 60 per cent of the surveyed Canadian companies stating that they did not have cyber security strategies in place. This fact becomes increasingly alarming when you consider that, according to some experts, cyber criminals actively target small- to medium-sized businesses.

With this in mind, it’s particularly important for small businesses to plan their cyber security budgets accordingly if they want to mitigate their risk. As a good rule of thumb, approximately 15 per cent of IT budgets should go towards cyber security.

Budgets should be made following an in-depth risk assessment and typically include the following considerations:

Preparation: When planning a cyber-security budget, consider including items for training, technology upgrades and vulnerability assessments. Having policies and procedures in place related to cyber attacks could also help you respond quickly in the event that a hacker accesses any sensitive information. In addition, implementing a security-awareness program is a good option for most employers, and consulting firms can provide assistance for those having difficulty setting up preventative measures.

Detection: Having the proper detection tools in place could make all the difference, should a cyber attack occur. In your budget, ensure that funds have been allocated for penetration testing, which will verify that any protective software you have in place is effective.

Response: Following a cyber attack, there are a number of response items to consider. In response to a cyber attack, businesses will often need to cover the cost of public relations assistance, attorney fees and forensic specialist services. When properly implemented and planned for, these items can help businesses salvage their reputations and prepare for future attacks.

In addition to budget planning, there are a number of other steps businesses can take to limit the impact of cyber attacks. For example, identifying any trends in terms of what other companies are spending on cyber security will at least provide you with a good budget standard that you can compare your own pricing to. In many cases, cyber liability insurance can protect businesses from some of the above costs, in addition to any losses sustained as a result of a cyber attack. The amount of coverage you need is usually dependent on your overall risk.

 

© Zywave, Inc. All rights reserved.