Cybersecurity, Risk and Generation Z

Nimbus Ninety members gathered on 19 November to discuss cybersecurity at The Cavalry and Guards Club in Mayfair.

The youth of today

It’s a truth universally acknowledged that a middle-aged mother typing with one finger must be in want of her teenager’s help. Whether it is knowing how to set up a Dropbox account or how to browse online without leaving a trace, digital has become a natural world for younger people to interact and engage with.

Perhaps this can be attributed to the shift that happens when a child goes to secondary school at the age of 11. Their mobile phone becomes the central device; consumption of YouTube and time spent on social media skyrockets. These platforms naturally become the worlds that augment their reality. Platforms like Snapchat and Instagram provide the metrics for bonding social capital: Snapchat’s 'streak' function keeps count of the number of days you and your friend have snapped each other, effectively measuring the digital loyalty of one user to another.

This has also led to a less rigid approach to cybersecurity: in a teenage relationship, sharing your Netflix password is a sign of trust and fidelity. Secrecy is understood by Gen Z to be interpersonal; security is thus understood in the same way.

In a TF-IDF test, people aged 11 to 89 were asked to describe what cybersecurity is to someone who doesn’t understand it. Children were inclined to use words like “bullying”, “social media” and “safety” in their explanations, while adults talked about “passwords,” “hacking” and “banking”.

With this generation of digital natives entering the workforce, security culture will be changed. While we think about how we can teach them about cyber safety, perhaps the real question we should be asking is how can they teach us?

Humans are messy

Security is crucial to working in any company that has any sort of data – but firewalls and security updates are all too notorious for ending an afternoon of what-could-have-been productive work. Where, thirty years ago, employees used to be in the office, using company computers with the same security software, dangers nowadays lie in the disperse nature of work: people can work from home, on the train, or in a coffeeshop. Each of these has its own risks in terms of security.

Historically, security policies have been somewhat of a blocker to innovation. They operate on a one-size-fits-all system, with few number of policies being applied to as many users as possible. While this may seem efficient, it doesn’t do the job.

Risk-adaptive protection is the new innovation in cybersecurity. The idea is that by analysing the particular risk for each individual working with each data set, you end up with a personalised, and far more effective, security policy. And if we can adapt the policy in real time as the risk evolves? We’re onto a winner.

But really, the core of cybersecurity is about empowering the users. Rather than letting security hinder productivity and innovation, the key is for security to become an enabler for its users. The problem here, sadly, lies in human nature itself.

Humans are unpredictable. They’re selfish and dishonest. They’re prone to making mistakes and mess-ups. Contrary to popular belief, only 23% of cybersecurity threats are posed by malicious hackers.

13% is the compromised user, while a staggering 64% is the accidental insider – people who have inadvertently leaked data or are attempting to work within a broken business structure.

Understanding users and their behaviours is the first step in creating an effective cybersecurity policy. After that, we need to start adapting our security to each particular mess, for it to effectively clean it up and prevent further spillages.

Defining a culture

Once we have analysed the behaviours and created an evolving and tailored security solution, there’s still the challenge of evolving security culture within the workplace. This is perhaps the hardest part of all: adaptive security policies are challenging to create and implement, but changing the cultural mindset is an even greater obstacle.

The movement from promoting awareness to embedding behaviours is tricky; but organisations can only be secure if they can turn humans into their strongest defence, and build human firewall.

Blaming people for security breaches is one of the most prolific, and most unhelpful, mindsets to overcome; positive communication from leadership is key to changing this. Instead of focusing on when employees do something wrong, we need to start recognising them when they do something right. It’s a mindset issue.

And it’s not just in the workplace; the need for a mindset shift permeates our entire culture. Free WiFi is a huge culprit for perpetuating overly relaxed attitudes to cybersecurity. It is, of course, free to use in monetary terms, but that doesn’t mean it comes without cost. Putting your email in gives away data, and allows the provider to build up a picture of your digital identity. Not to mention the open nature of public WiFi which is a breeding ground for hackers.

Culture and mindset must shift towards understanding that data is an asset – and we need to protect it.

The Humans are Coming... took place on 19 November at The Cavalry and Guards Club. It was held in partnership with Forcepoint, with the aim of exploring the threats posed by internal actors.

Forcepoint offers security software which takes a new approach. With a focus on intelligence and human behaviour, Forcepoint provides a new perspective on security with the intention to make an impactful difference in the cyber security space, to safeguard users, data and networks from internal and external threats.