Picture the kind of person you'd consider a security problem, and what leaps to mind? Chances are it's the image of a young male who thinks he's pretty darn smart—the Kevin Mitnick type. But it's time for CIOs to focus their security efforts on young men and women who aren't thinking smart. Will your security staff get through to them before they inadvertently let a real hacker get at your company data?
Now, it would be unfair and inaccurate to say that Generations X and Y have a monopoly on IT carelessness. A study on social networking released in October by CA Inc., and the National Cyber Security Alliance found that workers over 35 are more likely than younger people to—d'oh!— post their phone numbers and addresses on social networking sites or respond to unsolicited e-mail. (Apparently people do respond to Viagra spam.) But there's enough evidence—besides the pictures of young people behaving badly splashed all over these sites—that young adults are less discrete than older workers.
Of the 2,163 adults surveyed by CA and the NCSA, 51 percent of the under-35 crowd use these sites at work—that's 9 percent more than 35- to 54- year-old workers and 28 percent more than workers 55 or older—and they tend to engage in riskier behavior. Sixty-six percent download files from others' profiles "all the time" or "sometimes," setting themselves up to download Trojans, worms and other headaches. They are also less likely to close their profiles to anyone but friends—just 69 percent do that—leaving them open to more social engineering scams, and leaving their work-related postings accessible for anyone to see. So when 83 percent of the respondents to CIO Insight's May Security Survey say social networks, blogs and wikis will increase their security risks, they know whence they speak.
Another sign younger people aren't as careful as they should be: They are more likely to have their identities stolen. Not to blame the victims— save that for the scuzzy perpetrators of these crimes—but it stands to reason that people who take more precautions are less likely to be victimized and vice versa. A 2007 study of 5,000 adults by Javelin Strategy and Research found people 18 to 24 are at higher risk of ID fraud. "Victims in this age group are less likely to use basic precautions, such as shredding documents, switching paper bills and financial statements to electronic versions or using antivirus, anti-spyware software or firewalls," Javelin's report summary states.
"Members of this age group were the most likely to fall victim to fraud in the past 12 months, with an incident rate of 5.3 percent." And that's understandable: To younger workers, computers, digital cameras and the Web have been toys and companions. But security experts know they are double-edged swords that can deliver nasty, self-administered wounds. Other more experienced IT people know it, too. If CIOs are to minimize careless online behavior—their No. 1 concern, according to this year's CIO Insight Security Survey—it's time they target younger workers and find a way to get their security message across loud and clear.