They like sharing on social media, they won’t put up with a bad user experience, they want a flexible approach to work, they move on quickly if their expectations are not being met – much to HR’s chagrin, it is these characteristics that are shaping the culture of the future workplace.
With millennials now dominating workplaces around the world, they are now putting current network security regimes of many organisations to a stern test and are bringing the ever-increasing pressure for IT teams to keep an organisation’s network safe.
iTWire asked Graeme Pyper, regional director, Australia and New Zealand at Gemalto, himself not far outside the millennial definition to list the most important security issues for an increasingly millennial workforce.
- Social media
The question that has played with many organisations over the years – to block or not to block?
If we consider social media from a network security perspective, our favourite social channels can act as a gateway for malware and socially engineered attacks. People often share seemingly innocent links that have the potential to bring users to compromised websites.
To address this, static URL filters in Web filtering software are often used as these can block or monitor specific URLs. The category filtering feature can block entire groups of websites.
But when dealing with the millennial expectation, CIOs should look at different approaches as opposed to blocking social networks at the workplace. Organisations should consider implementing a clear social media policy and training for staff members as a start. For instance, sales staff should be reminded of the security and business risks that might result from checking in their locations at customer sites via social channels like Facebook.
The most important safeguard though is to have a robust, layered security infrastructure. It is a surer bet than having to rely on employees never erring in their clicks, taps, and swipes with their social media accounts.
- Know thy security layers
Layered security consists of different layers of security controls that are combined to protect data, devices, and people. This strategy is widely adopted today by many enterprises as it ensures that when attacks occur at different sources, whether at the network, application, device, or user level, they can be detected and stopped before they spread. It also offers an effective safeguard against different types of threats.
With millennials shaping workplace culture and habits, CIOs need to reassess how they are setting up each layer of protection. Consider, for instance, the growth of BYOD in the workplace. Since many enterprises are allowing employees to use personal devices to connect to corporate networks, employees are now expecting IT departments to support their personal devices with access to corporate applications like email and calendar. BYOD itself poses many new security threats.
To manage the challenges BYOD brings, businesses should look at bolstering security at the device layer. The first step to take is to shore up the devices themselves through mandating some combination of firewalls, anti-malware software, MDM solutions, and regular patching. A BYOD culture also puts organisations at risk from having their employees' devices hacked due to poor passwords, so having policies and education on strong passwords is another crucial element.
Device types can also be identified so that less secure devices, such as mobile phones, can be restricted from some parts of the network. Sessions should also be secured, such as by preventing users from visiting unsafe websites.
Similarly, defences of the user layer should also be shored up to mitigate the rising risks of internal threats. This layer is often the trickiest to manage due to the need to balance security and convenience. You can also use a variety of authentication methods to identify network users and allow varying levels of access. Instilling awareness and educating staff are important steps to take.
- Tackle shadow IT
Shadow IT is used to describe systems, solutions, application and services built and used inside an organisation without being sanctioned by the organisation. It’s uncontrolled nature poses a security threat and governance challenge.
If employees were using their smartphone to open a file, it is likely the phone will make a copy of the file, which could then be sent to an unapproved online storage destination when the phone performs its routine automatic backup. Your secure corporate data has now been moved to an insecure location. In the same way, the many social collaboration apps used by millennials can shift sensitive company information to insecure locations.
If you’re looking to stop the growth of shadow IT in your organisation, authorising staff stop using non-sanctioned devices and applications is unlikely to work given the ubiquity of smartphones. A more effective measure would be to instead educate users and implement technology like data encryption, access control, and traffic monitoring to manage the issue.
From a larger perspective, shadow IT happens when your staff is not happy with the solutions provided by the organisation. While CIOs may not be able to prevent staff from seeking out alternative apps for, say, collaboration, they can keep things in check by being attuned to their needs.