6 ways to reduce the security risk of graduate hires

Newly hired graduates are often technology savvy, but not very enterprise security savvy. That can be a dangerous combination.

Newly hired college grads are a particular security risk to your organization, and special measures need to be taken to manage this "graduate risk."

That's the view of Jonathan Levine, CTO of Intermedia, a Calif.-based cloud services provider whose customers employ many recent graduates.

"The problem is that new graduates are often very computer savvy, but unfortunately they are not enterprise savvy," he says. That's different to what was the case in the past certainly when many current CIOs took their first jobs where most graduates knew nothing about computers or the security requirements of the organizations they were joining.

He points out that from middle school or even earlier students use apps to do their school work, and use various services to share documents. But they are rarely educated about corporate requirements like information security and confidentiality.

"Coupling a technical literacy in tools like Dropbox and Snapchat with a naiveté about the way that enterprises need to operate is a dangerous combination," Levine warns.

[Related: How to win the hiring war for graduating millennials]

That means it's your IT department's or security team's responsibility to provide security education to graduates. This should warn them of the dangers of using consumer services, such as cloud storage or webmail, that generally offer inadequate auditing, management capabilities and security for use in an enterprise environment.

"Data loss is a big risk that graduates can introduce when they come from an academic environment," Levine says. "They come from an environment where information wants to be free and open source programming is common, to the corporate world where we want some sorts of information to be free and some definitely not to be free.

"We may want information to be shared, but we need to be able to know who is accessing it," he adds.

Graduates also introduce a disproportionate risk that information useful to hackers may be shared on social media services such as Facebook or Twitter. That's simply because they're accustomed to using these services without thinking about the security implications of what they're making public.

While educating graduates is key, making sure that they put what they learn into practice is also important. Here are six ways you can help ensure that this happens:

1. Judge graduates on the security they practice. Newly hired graduates usually undergo some sort of appraisal or performance review process on a regular basis. This provides the opportunity to make security and adherence to security practices a goal that new hires can be evaluated on.

2. Gamify security. Despite the name, this does not involve turning security into a game. Rather, it involves running incentivized security awareness programs.

This approach encourages graduates to attend security courses or gain security qualifications which may just be internal courses or qualifications run or awarded by the IT department.

[Related: 6 etiquette rules for office communications]

As graduates progress they can be awarded points that earn rewards appropriate to the organization, such as certificates, prizes, corporate perks or monetary bonuses.

3. Monitor graduate behavior. This adheres to the old adage of "trust but verify." The idea is that the IT department should monitor certain aspects of graduate's IT usage so that their managers can better understand how well they are adhering to security best practices and intervene when necessary.

4. Make security easy. One way to reduce graduates' temptation to use consumer services is to ensure that there are enterprise-grade alternatives that are attractive and easy to use.

So while it may be hard to get a graduate who has grown up with Gmail to start using an email client like Outlook that they may see as ugly and unwieldy, it may be easier to wean graduates off Gmail by providing alternatives. This could be something as simple as Outlook Web Access, or a more sophisticated alternative like offering access to Exchange data on a mobile device such as an iPhone or Android tablet using ActiveSync.

5. Run a security event. As an example, Levine says Intermedia runs a "Hacktober" event every fall. During the event the security team does everything that it has warned graduates against, such as leaving USB keys around (that contain harmless malware) and sending out phishing emails (which also do no real harm.)

The team can then contact any graduates who pick up and use these USB sticks or who respond to the phishing emails and graduates can gain kudos but reporting that they have spotted these planted USB devices or phishing emails.

6. Quick win. If there's one single thing you can do to make a big difference, Levine believes it is to drum it in to new graduates that they need to use separate passwords for each corporate system or application that they log in to.

It's important to make sure that these are different to any passwords they use to provide access to consumer services. That's because consumer services are tempting targets for hackers because they often have poor security, and if a hacker can get a password from a consumer service that's also used in a corporate environment then that presents a significant security risk.

Join the CSO newsletter!

Error: Please check your email address.

Tags SnapChatdropboxsecurity

More about DropboxFacebookIntermediaTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Rubens

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts