Will millennials become a security threat with enterprise rapidly adopting mobile?

With most organizations adopting mobile and implementing BYOD policies, how will the entry of the device and free WiFi loving millennial employee affect security of critical data?

A generation far more adept with newer technologies, millennials also pose greater cybersecurity risks with their preference of using the same devices for both personal and professional purposes.

According to PwC, millennials will form 50 percent of the workforce by 2020. The cultural shift they bring to the table is also accompanied by an increased affinity towards newer devices that might lack security policies. This abandonment of caution in exchange for digital convenience brings several cybersecurity behavioral risks to the workplace.

Surendra Singh, country director of Forcepoint says, “Millennials prefer to download unsecured third-party apps, use unprotected public Wi-Fi to access work systems and accounts, and are not averse to sharing personal information.”

Darshan Appayanna, chief information and knowledge officer of Happiest Minds Technologies, agrees and says, “They are more prone to being unaware of these risks especially on mobile devices because of their lack of awareness and a general assumption that anything available online is secure.”

The eighth Global Information Security Workforce Study (GISWS) predicts a shortage of 1.8 million among cybersecurity professionals by 2022. The study further claims that millennials aren’t interested in this field.

However, Venugopal N, head of pre-sales of Check Point Software Technologies, disagrees and believes that it is not just one generation alone who pose a risk to data security. “It is just that technology has evolved to such an extent that it poses a greater risk than what previous generations were using,” he says. “While an explosive proliferation of personal smartphones and tablets in the workplace exposes a company to increased risks, it is important to understand that standard security solutions are not strong enough these devices and apps in the workplace,” adds Venugopal.

This evolution expands the threat landscape and the challenge is to control data as it moves in and out of the organization’s possession while millennials seek to use it on demand. Jayanta Prabhu, group CIO at Essar, agrees with Venugopal and adds, “The key is awareness and training, along with an explanation of why the policies are important.”

According to Fortinet’s latest threat landscape report, 25 percent of mobile devices in Asia contain some kind of malware. If devices are the problem, then are the risk factors of BYOD greater than the benefits of higher productivity?

BYOD: It’s a catch-22 situation

Simply put, “there is no way out,” says Prabhu. “If CIO do not consider BYOD, then they will be in the same position as CIO who stood in the way of the movement from the corporate desktop to the PC,” he says. According to Jaspreet Singh, partner – cybersecurity at EY, it is not easy for companies to adapt BYOD or forsake it. While the benefits include decreased IT asset expenditure, flexible workforce, and higher productivity, the risk data being accessible to any third party could put a company in jeopardy.

Rajesh Maurya, regional VP, India and SAARC at Fortinet believes that mandating staff to stop using non-sanctioned devices and applications is unlikely to stop their growth in the organization. “With the ubiquity of smartphones, employees are using social networks and their personal cloud apps whether your policies prevent it or not,” he says.

The decision of BYOD being a boon or bane lies with the organization’s management of the environment. “It is imperative for security teams to have security systems that can maintain visibility to understand employees’ behavior and intent into use of critical business data across all devices,” says Surendra Singh.  Additionally, educating users and having effective technologies on data encryption, access control, and traffic monitoring to manage the risks is way more effective.

Learn, Segment, Protect

Most companies do not dictate the types of allowed devices and this poses as a challenge as most security solutions lack the integration and visibility to span across so many devices. Maurya suggests a three-step process – learn, segment and protect – to combat these threats.

Jaspreet Singh advices upon two models which can be used to manage the mobile devices to bring in BYOD - mobile device management tool and cloud service. “The first helps the organization to fully control the devices generally supported by APIs of smartphones used these days. The second allows a mobile device to access the service through an intermediary or broker controlling the delivery to the end user,” he adds.

“Understanding millennials’ security practices will help organizations create security protocols and practices to not only detect and stop critical data loss but also take advantage of the skills they bring”

Surendra Singh

Country Director, Forcepoint

Striking the right between flexibilities of BYOD and mitigating risks is the key. According to Prabhu, BYOD policies at Essar extends beyond just IT to account issues associated with HR, legal and security. He adds that Essar controls data access, monitors usage of devices, and has a list of devices supported by the company.

Adhering to this, both Mindtree and Happiest Minds also state that they have policies with respect to the type of devices and access, indicating that companies are growing to understand risks posed by employees who are now armed with no less than five devices.

Are there specific technologies in place?

A generation far more skilful with mobile devices, user behavior in millennials pose greater user-centric risks. Surendra Singh urges organizations to look beyond just IT. With a human-centric approach, the company aims to enable enterprises to better understand human behaviors and the intent that drives to protect employees as well as critical data.

At Mindtree, the company has implemented a network access control (NAC) solution at LAN, WLAN and Internet layers to allow only pre-approved devices. Ramesh T. Kumar, general manager- corporate information systems of Mindtree says, “Endpoint posture checks are performed before admitting a device to the network and various security agents installed on these endpoints ensuring robust security.”

While Kumar and Appayanna both acknowledge the presence of monitoring solutions providing actionable insights against this particular threat, the latter says that they prove neither cost-effective nor straightforward enough to implement successfully. Instead, Happiest Minds has a comprehensive role-based identity management solution. “We also have taken a conscious call on what data should be allowed to be exposed to a localized group, to the enterprise and beyond the enterprise,” adds Appayanna.

Prabhu, Venugopal and Maurya recommend a multi-layered approach to the detection, assessment, and mitigation within the enterprise. “Given that millennials will do more on mobile devices than on standard laptops, it is pertinent to have a mechanism that will secure mobile devices in a corporate environment,” adds Venugopal.

Without new approaches to data security, breaches and security compromises are likely to become more prevalent as more millennials join the workforce. “Understanding millennials’ security practices will help organizations create security protocols and practices to not only detect and stop critical data loss but also take advantage of the skills they bring, revolutionizing the workforce for the better,” says Surendra Singh.

But, millennials may be the road to a secured future for enterprise

While millennials might be the ones bringing in the chaos, it is evident that they are the ones the enterprise is looking to fall back upon as well. With a rise in cybercrime, a rise in the demand for a workforce with combat skill sets in the domain is inevitable.

However, the eighth Global Information Security Workforce Study (GISWS) predicts a shortage of 1.8 million among cybersecurity professionals by the year 2022. Having surveyed 19,000 cybersecurity professionals, the study further claims that millennials aren’t interested in this field.

The fact that a large portion of the said domain will retire in the next decade is frightening. Will a 50 percent millennial workforce be the boon after all?