Newly hired college grads are a particular security risk to your organization, and special measures need to be taken to manage this "graduate risk."
That's the view of Jonathan Levine, CTO of Intermedia, a Calif.-based cloud services provider whose customers employ many recent graduates.
"The problem is that new graduates are often very computer savvy, but unfortunately they are not enterprise savvy," he says. That's different to what was the case in the past – certainly when many current CIOs took their first jobs – where most graduates knew nothing about computers or the security requirements of the organizations they were joining.
He points out that from middle school or even earlier students use apps to do their school work, and use various services to share documents. But they are rarely educated about corporate requirements like information security and confidentiality.
"Coupling a technical literacy in tools like Dropbox and Snapchat with a naiveté about the way that enterprises need to operate is a dangerous combination," Levine warns.
That means it's your IT department's or security team's responsibility to provide security education to graduates. This should warn them of the dangers of using consumer services, such as cloud storage or webmail, that generally offer inadequate auditing, management capabilities and security for use in an enterprise environment.
"Data loss is a big risk that graduates can introduce when they come from an academic environment," Levine says. "They come from an environment where information wants to be free and open source programming is common, to the corporate world where we want some sorts of information to be free – and some definitely not to be free.
"We may want information to be shared, but we need to be able to know who is accessing it," he adds.
Graduates also introduce a disproportionate risk that information useful to hackers may be shared on social media services such as Facebook or Twitter. That's simply because they're accustomed to using these services without thinking about the security implications of what they're making public.
While educating graduates is key, making sure that they put what they learn into practice is also important. Here are six ways you can help ensure that this happens:
1. Judge graduates on the security they practice. Newly hired graduates usually undergo some sort of appraisal or performance review process on a regular basis. This provides the opportunity to make security – and adherence to security practices – a goal that new hires can be evaluated on.
2. Gamify security. Despite the name, this does not involve turning security into a game. Rather, it involves running incentivized security awareness programs.
This approach encourages graduates to attend security courses or gain security qualifications – which may just be internal courses or qualifications run or awarded by the IT department.
As graduates progress they can be awarded points that earn rewards appropriate to the organization, such as certificates, prizes, corporate perks or monetary bonuses.
3. Monitor graduate behavior. This adheres to the old adage of "trust but verify." The idea is that the IT department should monitor certain aspects of graduate's IT usage so that their managers can better understand how well they are adhering to security best practices – and intervene when necessary.
4. Make security easy. One way to reduce graduates' temptation to use consumer services is to ensure that there are enterprise-grade alternatives that are attractive and easy to use.
So while it may be hard to get a graduate who has grown up with Gmail to start using an email client like Outlook that they may see as ugly and unwieldy, it may be easier to wean graduates off Gmail by providing alternatives. This could be something as simple as Outlook Web Access, or a more sophisticated alternative like offering access to Exchange data on a mobile device such as an iPhone or Android tablet using ActiveSync.
5. Run a security event. As an example, Levine says Intermedia runs a "Hacktober" event every fall. During the event the security team does everything that it has warned graduates against, such as leaving USB keys around (that contain harmless malware) and sending out phishing emails (which also do no real harm.)
The team can then contact any graduates who pick up and use these USB sticks or who respond to the phishing emails – and graduates can gain kudos but reporting that they have spotted these planted USB devices or phishing emails.
6. Quick win. If there's one single thing you can do to make a big difference, Levine believes it is to drum it in to new graduates that they need to use separate passwords for each corporate system or application that they log in to.
It's important to make sure that these are different to any passwords they use to provide access to consumer services. That's because consumer services are tempting targets for hackers because they often have poor security, and if a hacker can get a password from a consumer service that's also used in a corporate environment then that presents a significant security risk.