Are younger generations suffering from security fatigue?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123458367/are-younger-generations-suffering-security-fatigue

It seems barely a week goes past at the moment without some kind of
security scare. We’ve had major breaches hit the media in recent months
from big businesses like eBay, and US retailer Target.

Each time we are told all the usual, sensible, security advice. Use complex
passwords, change them often, don’t use the same one for multiple services,
don’t share them with anyone else. These are all messages that those that
have grown up in the age of internet are very used to hearing.

However, it would seem that they are not paying heed. At least while
they’re at work.

IS Decisions’ recent research report ‘From Brutus to Snowden: a study of
insider threat personas’ looks at the views, attitudes and behaviours of
2,000 desk-based workers in the UK and US. It dissects how they differ
across demographics, industries and job roles.

By far the biggest differentiator found was age, with younger generations
time and time again appearing to have worse attitudes and behaviour towards
security than their seniors. The trends show that young people share
passwords much more often, are more likely to have been involved in an
internal security breach and are considerably more likely to access data
from an ex-employer after they’ve left a job.

What could be the reasons?

Now, there could be a number of reasons for these differences. The most
common reason cited for anyone sharing work-related passwords was ‘my boss
asked’. Now naturally, a younger person is more likely to be junior in
their company, and therefore have a boss request their password (very bad
form of the boss, by the way).

Staff turnover tends to be much higher for younger generations, as they
find their career paths and make life choices. And if you’re more likely to
have left a job relatively recently, you are more likely to have had the
opportunity to have accessed a former employers data or systems. If you’re
over 55 and have been working for the same company for 30 years, that
opportunity will not have come up.

Personal versus employer data

However, these more straightforward explanations do not cover everything,
and one instance of the age trend gives us an interesting insight.

When asked about the relative importance of work data compared to personal
information, the majority of older people tended to say that the two were
of equal value. The younger the respondent was however, the more likely
they were to say that their personal data was more important than their
employers.

This hints at a fundamental difference in attitudes. The majority of those
aged 16 right up to 34 do not see the importance of work and personal data
on a level footing. Could it be that younger generations just have a more
reckless and blasé attitude to their employers?

Password sharing culture

There is a trend among younger generations for personal password sharing,
of course. On the one hand there are services like Netflix that encourage
account sharing, but aside from this teenagers have been noted to share
passwords as a sign of trust. In this instance, giving your Facebook
password over to a friend or a person you are in a relationship with is a
bit like giving them the key to your house or apartment.

Of course, this often backfires, as relationships sour leaving the once
trusted person able to post things on the other’s behalf. But as a trend
could it explain some of the culture of password sharing our research has
found among young professionals? Are they giving their network password to
their favourite colleague as a sign of trust?

Security fatigue

Then there is the issue of simple lack of interest. As we’ve noted, we
constantly see security breaches in the public eye. Younger generations,
who have grown up with the internet, have been told over and over again all
of the best practice about passwords and security.

Is it possible that they’ve just had too many passwords and logins to
manage over the years, and heard about too many security breaches that did
not affect them directly, to really care anymore?

It seems that though there are a number of reasons why younger generations
are just not as security conscious as their elders, there must be an
element of this. And it is worth consideration for your own organisation’s
security policies. Many of your employees may well know all of the rules,
but that doesn’t mean they’ll follow them if you make it easy for them not
to. Put restrictions in place, but make adherence to those restrictions a
simple and easy process to avoid employee apathy becoming your biggest
security risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!