One of the toughest gigs in IT is the job of keeping an organization’s network safe. It is also one that is getting tougher with the rise of the millennial generation.
Millennials - those in their 20s to mid-30s - are starting to dominate workplaces around the world. More than one-in-three workers in the US are millennials, a 2015 study by Pew Research Center found. And this demographic group will account for half of the global workforce by 2020, according to PwC.
The term “millennial” has many connotations. Among them: They like sharing on social media. They won’t put up with bad user experiences. They want a flexible approach to work. They move on quickly if their expectations are not being met. These characteristics will define the culture of the future workplace. They will also put the current network security regimes of many organizations to a stern test.
Here are three considerations.
To block or not to block? Many organizations have probably considered this question when it comes to their employees’ use of social media in the workplace.
A study by HR software provider CareerBuilder, which polled employers from North America, found that 37% of employers see social media as one of the major productivity killers at the workplace, behind mobile phone and texting (55%), using the Internet (41%), and gossiping (39%). Three in four employers say two or more hours are lost a day in terms of productivity because employees are distracted.
From a network security perspective, social media is a vector for malware and socially engineered attacks. How many links that are shared innocently enough end up bringing users to compromised websites? And even if employees use social channels in a professional way, their friends and contacts are under no such obligation.
It is easy to ban or restrict social media sites at the network level. Static URL filters in Web filtering software can block or monitor specific URLs. The category-filtering feature can block entire groups of websites.
But that doesn’t mean CIOs should start blocking social networks at the workplace.
A better approach is to relook at how network security is being enforced holistically. Having a clear social media policy and training for staff is a good start. For instance, sales staff should be reminded of the security and business risks that might result from checking in their locations at customer sites via social channels like Facebook.
The most important safeguard though, is to have a robust, layered security infrastructure. It is a surer bet than having to rely on employees never erring in their clicks, taps, and swipes with their social media accounts.
Layered security, whereby different layers of security controls combine to protect data, devices, and people, is widely adopted today. It ensures that when attacks occur at different sources, whether at the network, application, device, or user level, they can be detected and stopped before they spread. It also offers an effective safeguard against different types of threats.
With the changing workplace habits brought on by millennial workers, CIOs should relook at how they are setting up each layer of protection.
Consider, for instance, the use of personal devices in the workplace. According to a McKinsey & Company study, around 80% of enterprises now allow employees to use personal devices to connect to corporate networks. And increasingly, employees expect their IT departments to support their personal devices with access to corporate applications like email and calendar. This trend, termed BYOD (Bring Your Own Device), poses a number of new security threats.
In particular, CIOs should look at bolstering security at the device layer. The first step to take is to shore up the devices themselves through mandating some combination of firewalls, anti-malware software, MDM (mobile device management) solutions, and regular patching. A BYOD culture also puts organizations at risk from having their employees' smart devices hacked because of poor passwords. Having policies and education on strong passwords are musts.
Device types can also be identified so that less secure devices, such as mobile phones, can be restricted from some parts of the network. Sessions should also be secured, such as by preventing users from visiting unsafe websites.
Similarly, defenses of the user layer should also be shored up to mitigate the rising risks of internal threats. This layer is often the trickiest to manage due to the need to balance security and convenience. You can also use a variety of authentication methods to identify network users and allow varying levels of access. Instilling awareness and educating staff are important steps to take.
Shadow IT is a term used to describe the use of applications and services, often cloud based, not sanctioned by the organization. Its uncontrolled nature poses a security threat and governance challenge.
Consider the scenario of employees using their smartphone to open a file. It is likely the phone will make a copy of the file, which could then be sent to an unapproved online storage destination when the phone performs its routine automatic backup. Just like that, your secure corporate data has been moved to an insecure location.
In the same way, the many social collaboration apps favoured by millennials can shift sensitive company information to insecure locations.
Mandating that staff stop using non-sanctioned devices and applications is unlikely to stop their growth in the organization. Frankly, with the ubiquity of smartphones, employees are using social networks and their personal cloud apps whether your policies prevent it or not.
What could be more effective is to educate users, as well as implement technology - such as data encryption, access control, and traffic monitoring - to manage the issue.
From a larger perspective, shadow IT happens when your staff is not happy with the solutions provided by the organization. While CIOs may not be able to prevent staff from seeking out alternative apps for, say, collaboration, they can keep things in check by being attuned to their needs.