Centrify report identifies younger employees as main culprits for security breaches in workplaces

More than a third of senior executives believe that younger employees are the “main culprits” for data security breaches in the workplace. That’s according to the results of a new independent study into attitudes of the next generation workforce in relation to cyber security commissioned by Centrify.

More worrying is the fact that the study also reveals these same decision-makers are doing very little to allay their own fears, with over a third of 18 to 24-year olds able to access any files on their company network and only one-in-five having to request permission to access specific files. Less than half (43%) have access only to the files that are relevant to their work.

The study, conducted by Censuswide, sought the views of 1,000 next generation workers (18 to 24-year olds) and 500 decision-makers in UK organisations to discover how security, privacy and online behaviour at work impacts the lives of younger employees and the companies for whom they work.

While password sharing tops the list at 56% in terms of what keeps decision-makers awake at night, 29% of younger workers reveal that they’re in the driving seat when it comes to password changes with their employers leaving it to them to decide when they need a password change. Furthermore, 15% of them admit to freely sharing passwords with colleagues.

Attitudes to social media and online behaviour

Asked how younger employees could negatively impact the workplace, 47% of decision-makers worry about them sharing social media posts and the impact these could have on brand and reputation.

Conversely, one-in-five workers are not bothered about how their social media activity might affect their employers, while 18% freely admit that their posts could compromise employers’ security and privacy policies.

Less than half say their company has social media guidelines in place, highlighting the need for strong social media access controls that follow the principles of a ‘Zero Trust’ approach towards security (which assumes that users inside a network are no more trustworthy than those outside the network).

The next generation of workers’ ‘always on’ approach to technology – with no experience of an off-line world – further reinforces the need for robust security policies. When it comes to this generation of workers, 40% of decision-makers are concerned about their misuse of devices, while 35% say they are too trusting of technology and 30% worry that they share company data too easily.

While 79% of decision-makers report having a strong security policy in place and 74% of them think that their employees abide by it, over a third (37%) feel that young workers are too relaxed about security policies.

Decision-makers also say the next generation of workers has a good awareness of The Dark Web (87%), underground hacking (79%) and crimeware (81%). Although around half (48%) say they have strict guidelines in place for employees accessing these new ‘dark arts’, 39% feel they could be better.

Business leaders of tomorrow

“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as older workers, but we must remember they are the business leaders of tomorrow and we must help, not hinder them,” commented Barry Scott, CTO for the EMEA region at Centrify.

“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies. If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself.”

Scott continued: “Our study shows it’s time to discard the old castle-and-moat model of ‘trust but verify’ as it simply doesn’t work in today’s mobile-first, cloud-enabled world where employees can be anywhere and work on multiple devices. Traditional network perimeters are dissolving and security professionals must adopt a Zero Trust approach that assumes bad actors are already on the network.”

‘Zero Trust Security’ verifies every user, validates their device and limits their access to only the resources they need. Machine learning is employed to ensure the resulting improved security has no impact on efficiency.

“Let’s be clear that ‘Zero Trust Security’ is not saying we’ve lost trust in our employees, but rather it enables them to work exactly the same way wherever they are, and provides the company with a stronger security posture.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts