There is a broad recognition that increasing levels of vulnerability begin with the user. This is fueling the development of corporate awareness programmes on information security. To get the most out of their investment and strategically inform security management, organisations should be working with current knowledge of how behaviour is changing in the workplace. Today this is highly influenced by the proliferation of new, open mobile and social networking technologies, and the experts in this area are still in school— but not for long, writes Tim Wilson, lead volunteer (ISC)2 Safe and Secure Online programme and assistant director ICT, NHS East London and City.
A review of developing behaviour among the young can offer some revealing insight into the characteristics of the workforce of the not-too-distant future, as there is a strong possibility that the online behaviour of kids today will impact how they will behave when they become part of the workforce. This is because the internet plays a significant role in their lives. In of a survey of over 1,500 London area students that I have presented to about internet safety, 65% of them said they use the internet every day, with 50% of children use social networking sites every day. 50% of kids are also online after 10pm on school nights.
It is critical for information security mangers to develop an understanding of developing attitudes along with measures to correct them where necessary. For instance, youngsters today are uninhibited in giving out personal information – a sign that children treat online security differently to physical security. Also, they have no qualms about circumventing parent and school authorisations to access social networking sites. In light of this, there is a high likelihood that kids will take this mindset to the work environment as well. Similar to flouting parental control, ignoring company policy of acceptable use of social networking in the work place may not be considered a serious offence by them.
As a lead volunteer with the (ISC)2 Safe and Secure Online programme, an internet security awareness programme aimed at 10-14 year olds, I have been tracking these behavioural instincts of students for three years. My findings – which have been confirmed by the UK Department for Education and Skills to be in line with similar research published in September 2011 by the London School of Economics for the UK Government and European Union – indicate that, for example, there is a strong possibility youngsters will habitually have difficulty separating the use of social networking for work from private use. This could result in a workforce prone to data leaks. Further, children who easily make callous, ill-judged personal comments about their school mates today online may demonstrate similar poor judgement about the comments they make about their employers. It all portrays an evolving risk landscape that information security managers could be doing more to prepare for today.
One way is to communicate about what kids are doing today within the workplace, adding a personal touch to information security awareness training. After all, many employees are parents and family members too. Ensuring their awareness of the perils of a careless attitude to online security amongst youngsters, will make them think about their own behaviour the workplace, and encourage a more conscientious attitude towards their own accountabilities, and decide to monitor more of what is going on at home.
Such a cognitive approach to learning can be more effective in getting people to listen when they may otherwise flout alternative approaches to awareness training. Companies that have adopted this approach to awareness training are beginning to conclude that it brings the overarching issues and its potential impact closer to home and is more likely to motivate behavioural change, than the more generic messages focussed on why security is important. These programmes equip them to teach children how to stay in control of their image, respect other people’s privacy, report bullying and unhesitatingly block contacts who appear dubious. The behaviour asked of the employees is the same.
Further, they complement the enforcement of the existing industry standards in the workplace to ensure appropriate behaviour by staff such as – ISO 27001: 2005 – A.8.1.2 pertaining to employment and recruitment; ISO27001:2005 – A.7.1 & A.10.8 for data protection and ISO27001:2005 - A.5.1.1 for information security. These standards are important tools to help the security manager address the blurring boundaries between the personal and work environments. More effort is required to ensure they are understood and actively managed by those tasked with enforcing them.
Overall, young people treat their online safety far differently to their real world safety and there is no reason not to believe that this behaviour will filter through to the workplace. Organisations will require approved and robust HR, and information security policies and processes in place to mitigate these vulnerabilities, while there is also a real opportunity to motivate change in workplace by helping employees today spearhead change at home.
This was first published in February 2012