Whenever I have a question about my smartphone, I ask my 13-year-old son for help. For me, a smartphone is simply a tool. For him and his generation, it is a prime focal point of life. A teenager’s reputation and social status can, to some degree, depend on their use of social networks, gaming sites, apps, and the brand of smartphone they use. It is a tech-savvy generation. That said, I could hack my son’s phone in minutes. Why? Because I’ve noticed that this tech-savvy generation hasn’t got a clue about cybersecurity. When I explained to my son how I could hack his phone, turn on his camera, and record his calls and conversations, he thought I was making it up. Although he and his friends know something about hackers, and actually look up to them as some sort of heroes, he doesn’t see them as personally endangering his life. For example, he and his friends believe that the hacking group, Anonymous, is cool, but they don’t really know what they do. After some questioning, it appears they mainly like the Guy Fawkes mask these hackers use to hide their identities.
The current cyber generation seems to be following in the path of its millennial predecessors when it comes to an ignorance of cybersecurity. In a survey of 4,000 18 to 26 year olds from around the globe commissioned by Raytheon Corporation last year, 65% of respondents believed they could stay safe online. That is to say, security was not a major concern. This despite the fact that 58% claimed they had never been given any instruction on how to stay safe online and 67% hadn’t heard of any major cyber attacks in the previous year (even though many had made news headlines).
This finding seems to be at variance with a similar study done in 2014 which found that 75% of adults were worried about cyber attacks compromising their country’s economy and infrastructure. However, 60% of those surveyed believed their governments would be able to counter any serious attacks. This in itself may lead to the false sense of security found among millennials and pre-millennials. It may be that they feel that someone else will protect them – the government, the company, the school, or even parents. Perhaps this can be rebranded the “someone will take care of me” generation. That may be all well and good until these individuals enter the workplace with this mindset. It could help explain the somewhat alarming finding by PwC that 75% of all major corporation breaches were staff related. And the real bad news? Most of these staff members had received some sort of cybersecurity awareness training.
So what’s going on here? It could be that a one-time-cybersecurity-awareness session may not have prepared the staff for newer attack methods. This would indicate that routine, and somewhat frequent, training would be needed. It could also be that the instruction was, for one reason or another, not taken seriously. On the other hand, it could be that employees are aware that they are taking risks but feel that this is not really their problem. Since they will not personally be paying the price for irresponsible behavior, there is no real need for concern. If this is the case, then we are not talking so much of cybersecurity awareness as we are of behavior modification.
Take a look at the following triangle.
It demonstrates the three factors that must be weighed in order to build any corporate network. For example, a company could make a network easy to use, but it would compromise security. If the company over-emphasizes security, it could create problems for users. Together, these two points will affect how the network functions as a whole. The network itself will influence user behavior.
Let us assume that irresponsible employee behavior is the main source of security problems as the aforementioned study suggests. If, after appropriate instruction, an employee engages in such irresponsible behavior, what can the company do? Initially, it might seem that the employee should be penalized or punished in some way, but this might produce just the opposite of the intended affect. If the employee makes a mistake and clicks the link in a well-designed phishing email, the employee may be so worried about the penalty they will receive that they will try to hide the fact that their actions may have compromised corporate security…which, in fact, compromises corporate security even further. But remember, even if the irresponsible employee clicked on a bad link or downloaded a malware-infected attachment, the employee could always counter with the argument that the security team wasn’t doing their job. Otherwise, why would a phishing email get into their inbox?
Although security teams may want, or even demand, proper security behavior from their employees, they are often fighting against basic human nature. As one study pointed out, “People can sometimes get tired of security procedures and processes, especially if they perceive security as an obstacle, preventing them from their primary task (e.g., being blocked from visiting a music download website because the browser has stated that the site might have malware). It can also be stressful to remain at a high level of vigilance and security awareness. These feelings describe the so called ‘security fatigue’, and they can be hazardous to the overall health of an organization or society”.
If cybersecurity teams try to impose behaviors on employees who are used to being free to do what they want online, they are almost sure to meet with resistance. Some will attempt to bypass restrictions while others may simply ignore them. In short, a battle arises between security teams and employees. Instead of having a unified team fighting to keep the company secure from breaches, the security team will have its hands full keeping its own employees in line. Beyond that, millennials may simply believe it’s not their responsibility to worry about security. That’s the security team’s job. And with the pre-millennials someday entering the workplace with even fewer concerns about security, the situation does not seem likely to change in the future.
The attempt to change user behavior is a fruitless one. What is needed is a security architecture that does not rely on employee behavior to stay safe. Such an architecture would allow employees to be as irresponsible as they want while keeping important data on the corporate network safe. Such architecture would make the security triangle shown above obsolete and significantly reduce the pressure currently placed on the IT staff.
As a disclaimer, this blog is associated with a company that has such architecture. If you are interested, take a look at it and see for yourself.