Millennials: Biggest asset in battle against cyber crime?
By Nick Hopkinson, Director of Cybersecurity, CSC EMEA
Many cyber attackers thrive on the insatiable appetite of the millennials for new stuff. One of the characteristics of the millennial generation is their enthusiasm for new devices, technology, services and their desire to exploit them in new and interesting ways as part of their whole lifestyle. They live on the net and use it relentlessly to live their lives - business, social and personal. They are often characterised as not worrying about offering up their information to all who ask for it, not asking themselves any questions about the safety of new devices and software they have downloaded, or engaging freely in discussions with unknown individuals. Their activities terrify many in the security community and much of the thinking is about how we can tame, or control their activities when at work so they don't compromise our corporate security.
However, paradoxically, millennials could be our biggest asset in the battle against cyber attackers - we just need to adjust our own thinking and mindset in how we approach them from a security perspective. After all, many of those in the vanguard of cyber attacks are themselves millennials; cyber criminals are exploiting their appetite and enthusiasm for living and working on the net, using their knowledge, skills and expertise, their understanding of how best to get at their targets, using their intimate knowledge of how people use the internet to identify vulnerabilities and new avenues of attack. We ourselves can also engage the same attributes in the fight against cyber attackers.
There are a number of different ways we can leverage the attributes of this generation:
Firstly, we need to engage those who work in our organisation in securing the enterprise. But this needs to be done in a way which appeals to their own approach to life - too often security is seen as blocker which prevents them using their preferred devices or applications, or makes it too difficult (through complex passwords and access controls) to access their data. The overriding features of the modern environment are choice and immediacy - the millennials want to use their devices, applications, data how they want and when they want. Security needs to enable that, not just for the millennials, but because such an approach can enable an organisation to exploit all that innovation and new technologies can bring in terms of benefits to the business. It requires a different approach to security, a more dynamic approach where we are managing a continually changing and evolving environment, constantly assessing the threat and implementing the appropriate responses in near real time. It involves a different approach to risk management - accepting that in a more dynamic, fluid and connected environment that defences will be breached; the key is detecting the breach and responding quickly to minimise or prevent the damage. It is possible to build such a security environment - technologies are now available which can enable this dynamic monitoring and management, and to enable more seamless access providing an intelligent risk management approach is implemented.
If security can be transformed into the great enabler - providing a seamless, hassle free but secure access to the tools and technologies people want to use - then we have a much better prospect of engaging millennials positively in supporting our security goals. We can educate them about the cyber world and its dangers as well as its benefits - that there is a criminal world out there just as in the real world, ever present and ready to exploit and damage us - enlist them in being vigilant and watchful (as they would in protecting their home and their person) and behaving in sensible and responsible ways in protecting assets and information which are important to them and their company. In any society, if freedom is to work it also brings with it personal responsibility - and that is key when it comes to security - a few organisations have tried this approach and it works successfully where the workforce understands and is engaged in delivering the security mission.
The second way is to encourage more millennials to join the security profession. We can benefit from the same skills, understanding and insights that cyber attackers seek to exploit. In managing security dynamically, following the new model described above, we need skilled analysts who can recognise and dissect sophisticated cyber attacks and work out how to counter these activities and implement effective defensive strategies. They need to be alert and adaptable, have an innate understanding of the latest tools, technologies and social and internet trends which attackers seek to exploit, and ultimately get a buzz out of fighting what is, in reality, the ultimate online game - except of course this is not a game, but a very real day-to-day battle where the stakes can be high.
Some of the most skilled cyber operators, and those who really think outside the box, can become ethical hackers who are used to test the robustness of the security controls and defences of an organisation. This is the most practical and effective way of carrying out security assessments as it simulates real attacks by determined and expert hackers who can utilise all the latest tools, techniques and attack vectors. They can point out specific areas of vulnerability and weakness, which can then be fixed, or identify poor processes or policies which can be changed.
People often ask what is different about cyber security from the old disciplines of information or communications security. I think the real difference is a product of the way the explosion of internet based services have penetrated every aspects of our lives. It has transformed security from a fairly static function where we understood our environment, where our data and applications were hosted and managed (usually within our own perimeter), that our employees could access this environment from the workplace using corporate devices which never left the workplace. All these certainties have been eroded by the cyber revolution and we now need to manage security in a way which is closely attuned to the cyber environment - dynamic, adaptable, aware of the latest trends and technologies available to users, quick to acquire and develop new tactics and solutions. Our biggest asset in adjusting to this new world of cybersecurity is the very generation who have grown up in this world and are extremely comfortable and already fully adapted to operating within it.