We all know the importance of protecting the company perimeter against viruses, trojans and other forms of external attack.
Firewalls, anti-virus software and monitoring solutions now come as standard with laptops, so we tend to understand - at least as consumers - the concept of protection against outsiders.
A threat taken less seriously by companies is that of their own employees. The average worker poses just as great a threat as a virus, if not more so, if he or she has not received proper IT security training.
And yet employers will inherently trust these employees because, well, why not? If the new recruits weren’t trustworthy, they wouldn’t have been employed, right?
Beware of the youngsters
Password sharing is a dangerous tactic. And the worst culprit? That youngster you recently took on, but probably don’t know an awful lot about.
In our Insider Threat Personas Report, we surveyed 1,000 desk-based workers both in the UK and US, and found that as many as 65.5 per cent of people aged between 16–24 have shared their password at least once - compared with just 29.5 per cent of those aged 55+.
Now, sharing passwords on just the one occasion is the tip of the iceberg. The problem gets worse when colleagues have constant access to one another’s login details.
When we asked the same group of people about who may have continual access to their password, 34.5 per cent said “at least one colleague has my login details.” That is an incredibly worrying statistic considering that all Edward Snowdon needed to gain access to sensitive files was his colleagues’ passwords.
Speaking of Snowdon, our Insider Threat Manifesto found that only 12 per cent of IT professionals are more aware of the insider threat thanks to the scandal. How have so many people within the industry missed it?
However, whereas Snowdon acted intentionally, many breaches occur simply through bad practice and ignorance. At least those working in IT security are aware of that - as you can see in our Insider Threat Peer Report, which gives more insight into the opinions of senior IT professionals across industries about their views to internal security.
In the report, we asked what type of employees pose the greatest risk. Hinne Hettema, IT security lead at the University of Auckland, said: “Postgraduate students. They have elevated access to our systems, but at the same time still act as students.”
John Giordiano, IT manager at The Scenic Route, said: “Older people tend to disregard security measures because they don't fully understand them, and younger people tend to disregard them because it slows them down.”
Both respondents hit the nail on the head. Today’s millennials are much more open to sharing information than they used to be, driven in part by the rise in social media. They don’t see password sharing as much of a problem.
Indeed, many US teenagers see password sharing as a sign of affection. To them, sharing a password is a digital entanglement that, because of the risk it involves, signifies trust and can be a milestone in a relationship, like sharing the keys to your house with a partner.
The technology-education harmony
So what can you do to mitigate the threat that young professionals pose? The answer lies between using the right mix of technology and education. Or “tech-ed” to put it nicely.
No single security solution is foolproof, so the more layers of protection you have, the better chance you have of keeping threats out altogether and quickly catching the few that do manage to get through.
But perhaps you should also just go one step further. In our report, we also asked the senior IT professionals to give their advice. The best is from an IT manager called Dylan - “Don’t trust anyone”. Sounds like a good idea to me.
François Amigorena is CEO of IS Decisions.