As millennials enter the workforce in large numbers, it is important for all security programs to realize the unique challenges that they pose. While it is not fair, proper or effective to say all millennials are alike, or that older generations don't share some of these traits, it is reasonable to acknowledge some distinct trends.
Millennials are the first generation for whom computer devices are ubiquitous in their daily activities. Consider that laptops have become the computer of choice and can be taken anywhere. Cellphones are more powerful and functional than computers were a decade ago — and millenials have had these devices in their pockets for as long as most of them can remember.
But use of a technology does not mean that it is safely used and millennials' comfort with technology does not mean that they are more security aware. The tendency is to use technology in a way that is most convenient, not most secure. And while there has been some effort to protect their privacy — primarily from their parents and others — this does not mean that they are aware of all the things there are to protect and how to protect them. The fact is, the more information that is available, the more vulnerable it is made.
With this in mind, we reviewed the research into millennials to see how it could be used to improve security awareness programs. While some of this may seem obvious, we have yet to see most organizations make special efforts to address the awareness challenge posed by millennials.
1. Millennials have a heightened trust in technology
For this reason, awareness programs should stress the need for caution when storing data online, downloading apps, and other activities. While you don’t want to scare people, you at least need to point out that there is risk inherent in any data storage or new technology in which you place trust.
2. They prefer to use their own devices
Many organizations have already adopted a bring your own device (BYOD) policy, and while this can save companies money as well as delight users, security teams have raised the alert that the practice creates a loss of control of data. It adds to the concern that users are storing organizational data on their personal devices with varying levels of security. And using these devices to access organizational networks and other assets creates backdoors into otherwise secure resources. (Of course, even if you provide devices, users will likely attempt to use their own<a<.)
While many organizations prefer to focus their awareness programs on specifically work-related topics, this concern implies that awareness programs can't distinguish between work and home computer usage. Awareness programs need to especially focus on how to protect personal devices, and how to treat personal information securely.
3. They are heavy users of social media
Social media use allows them to stay connected, but it also creates an increased attack surface. Sensitive information could be accidentally disclosed, and heavy social media usage also creates more opportunities to encounter malware.
Social media usage can be both a blessing and a curse. To account for the curse, you need to ensure that you provide proper awareness on social media vulnerabilities. This would include both highlighting information protection policies, as well as safe social media usage habits.
The blessing is that if you spend time and effort to create a social media presence for your awareness program, millennials are much more likely to engage with it. Some companies have created Twiiter accounts for their security programs. Others create social media like efforts on internal resources.
4. They have shorter attention spans
Research shows that people now have exhibit shorter attention spans. There are many reasons driving this, such as being inundated with information via feeds like Twitter and Snapchat. Your awareness efforts should be tailored accordingly.
Shorter awareness materials will be more effective. Trainings and videos should be brief and to the point, but passive and concise media can also be effective. For example, companies that monitors have monitors that display organizational news can also use them for awareness purposes. Screensavers can have an effective place in your program, as can coffee cup sleeves, posters and tweets.
5. They have more intellectual curiosity
The upside of shorter attention spans is that millennials are more likely to seek out information when their curiosity is piqued. They like to explore topics that come up in passing conversations, and they are used to readily finding information that satisfies their curiosity.
To take advantage of this, awareness materials should be made easily available. Corporate knowledge bases of security information can be posted online. Videos should be always posted, so people can view them at will. Let people have the ability to learn on their own, as they are more likely to do it when they do it on their own terms.
6. They grew up with video games
Software-based training that provides challenges can be an effective way to engage millennials. Older generations tend to frown on games in the workplace, but millennials look at it as a natural way to learn skills and other information. While there are no commercial solutions we would recommend, it is something to consider incorporating into awareness programs as resources allow.
7. They are more socially conscious
There is little downside to this generalization. Millennials, by and large, want to leave the world a better place than they found it. They want to create a positive impact. For this reason, awareness programs can and should promote the value of good security behaviors, not just for the individual's wellbeing, but for the wellbeing of other employees, customers and society as a whole. Stating and demonstrating how good security habits can protect all concerned, as well as improve society, can increase the willingness of millennials to adhere to security policies and guidance.
8. They prefer speed and convenience
The speed and convenience afforded by technology has ingrained the drive for efficiency into millennials more than previous generations. Awareness practitioners need to incorporate the purpose of security rules into their programs to create better adherence. While it is not typically the responsibility of the awareness staff, they should work with operational personnel to embed security practices into the workflow, so there is less opportunity for people to bypass security procedures.
Security awareness should not be a monolith, where everyone is expected to equally learn from the same materials. The reality is that some awareness materials and efforts will impact some people more than others. To account for this, awareness programs need to incorporate as many modes of communications as possible. Given that millennials are becoming prominent in organizations, and will be predominant in the future, it is to every awareness professional’s benefit to learn how to target some of your efforts to them.
Ira Winkler, CISSP is president of Secure Mentem and assists companies in optimizing their awareness programs. He can be contacted through http://www.securementem.com. Danielle Kingsbury is a trained clinical psychologist, who is now focusing her efforts on the human aspects on security with special emphasis on millennials in the workplace and attracting women to the cybersecurity profession. She can be reached through her website at http://www.cybersecpsych.com.