In 2004, a young Mark Zuckerberg founded Facebook from his Harvard dorm room. Twitter arrived on the scene two years later, and in 2010 Instagram debuted. Indeed, a large portion of today’s workforce has lived most of their lives in the "Facebook Age," when posting daily status updates and selfies is the norm.
Information security professionals should be reeling from the wide-reaching implications of this cohort’s approach to technology use and its potential to permeate the workforce. For example, a recent report highlighted that half of millennials spend an average of three hours per day on their mobile devices -- 70 minutes of that on non-work activities during work hours.
From 2015 to 2016, we saw a 15 percent increase in the number of federal employees under age 25, and, unless we quickly react to these trends, it could spell out disaster for federal agencies, particularly in terms of insider threats.
How can we shift our approach to IT security to compensate for the insider threats caused by the rise of the sharing age?
Why insider threats?
You may hear insider threats and think only of ill-intentioned employees leaking agency secrets, such as Chelsea Manning and Edward Snowden. Realistically, however, these kinds of employees account for only a portion of breaches. The most common insider threats actually stem from individuals who are either unaware or negligent.
Hackers attach themselves to employees they deem particularly vulnerable and use them to penetrate an agency’s network, giving them access to valuable and classified data.
In the past, criminals would take a subtle, human approach to this. They would stalk employees at cafes where they would strike up a conversation to coax vital information out of them.
But with social media, employees are already offering up large amounts of information through their personal profiles and posts. This information can be used to hack an employee’s work or personal devices, which may regularly connect to an agency’s network.
This practice means additional layers of security and awareness are needed to ensure agency workers play an active role in safeguarding data. Agencies must be more vigilant and proactive in addressing human vulnerabilities.
So where to begin? Good internal security begins with hiring. A proactive recruitment process can spot security problems that could cause complications down the line. Recruiters should go beyond thorough background checks and incorporate security into the interview process by asking meaningful, security-minded questions.
Knowing candidates’ attitudes toward data security related to their personal social media can reveal much about their ability to protect agency data. If they’re not aware of the federal Standards of Ethical Conduct that apply to social media use, for example, recruiters should let them know that federal employees are responsible for how they present an agency’s name, seal and uniform online. Infractions can lead to penalties and termination.
Once agencies are in a position to hire only low-risk employees, they can refine their training process to include updated, ongoing training modules that address relevant and contemporary issues such as social media security. Reliance on boilerplate training videos prevents an agency from fortifying itself against insider threats. Focusing on scenario training and working on employee awareness will help agencies beat back threats.
Remember: Constant sharing is now ingrained in our culture. Managers must educate employees about the potential risks. Doing so requires a sincere, consistent and concerted effort.
Humans are hardwired as problem solvers -- particularly today’s tech-savvy millennials. With millennials making up much of today’s workforce, agencies will struggle to maintain secure networks without an effective bring-your-own-device policy.
If an agency bans all personal smartphones or lacks an effective BYOD policy that facilitates work from mobile devices, employees will find workarounds or rely on back channels that IT managers can’t see or control. With a BYOD policy in place, agencies can get ahead of the problem and promote the transparency they need to maintain network safety.
Insider threat protections will only become more diluted as social media gets more ingrained in daily life. We must prepare now by framing IT security as foundational instead of responsive. Of course, we can never fully eliminate human risk, but we can greatly reduce that risk by making data security an integral part of agency culture. By keeping the conversation open, engaging everyone in the process and collaborating with HR to ensure the screening process is done correctly, agencies can catch problems before they have a chance to grow.