Presentation summarising RSA, The Security Division of EMC's research findings looking at Gen. Y's attitudes, and behaviours with regard to Information Security. The presentation also offers some guidance as to how security strategy must evolve to be able to be effective in the future.
5. Our Generation Y Research
n=1,000, ages 18-24
• employed full-time 25%
• employed part-time 37%
• unemployed 37%
Currently looking for a job 38%
Not currently looking for a job, 39%
but I expect to begin looking
within the next year
Not currently looking for a job, 24%
nor do I plan to look for a job
within the next year
6. Security aware, but easily lead and Socially
“Promiscuous”
76% say most of their contemporaries willingly take
chances with security in return for lower prices.
91% of young adults who use social networks list friends
they don't know well.
• 88% are “friends” with an acquaintance
• 44% with someone they’ve met online but not in person
• 33% with someone they’ve never met online or in person
37% of social networkers admit that their profile info on
their social network profile is viewable by people outside
their friends’ list
34% of social networkers admit that their photos, videos,
and blogs are viewable by people outside their friends’ list
Source: Generation Y Online Security Survey: TRU Research; sponsored by RSA
7. Insecure online banking practices..
81% say they bank online
66% feel very safe sharing financial information online
However….
• 42% conduct online banking transactions from a public computer
• 53% use public Wi-Fi spots
• 55% Never check their credit reports
• 76% select PIN numbers that will be easy to remember
• 32% never change their passwords
Source: Generation Y Online Security Survey: TRU Research; sponsored by RSA
8. Convenience trumps Safety..
76% agree it’s very important to change your online
passwords/PIN numbers regularly.
55% are concerned that someone will figure out their
passwords on password protected sites.‐
• Yet, 32% never change their passwords on email, social network
sites, or banking sites.
87% say it’s very important to use different or complex
passwords for online accounts.
• Yet, 52% usually use the same password for all accounts, and
44% usually use the same PIN.
26% store their passwords on their computer/PDA so they
won’t forget them.
Source: Generation Y Online Security Survey: TRU Research; sponsored by RSA
9. Reputational Risk for Employers?
77% are currently searching for a job or are about to begin
job hunting
However…of the 96% that visit social networking sites:
• 56% Used curse words in online posts
• 37% Posted photos, videos, or comments online that include
cigarettes, alcohol, or drugs
• 26% Posted online comments that are sexual in nature
• 25% Posted embarrassing or compromising photos, videos, or
comments online that they would not want viewed by a parent or
employer
• 20% Found photos online that were posted without their
knowledge
• 18% Were a victim of someone hacking into their email or social
networking account
11. With devices affordable and pervasive, “digital natives” are
creating personal infrastructures that extend into the
workplace
10
20
30
Personal
Computer
7.0
7.8
8.5
PDA, BlackBerry
or smart phone
1.1
1.7
4.0
Mobile phone
1.6
2.5
4.9
All devices
in survey
10.5
14.0
23.2
Baby boomer
Gen X
Gen Y
Base = 700 white
collar professionals
During an average workday, how many hours would you
estimate that you spend using …?
Gen Y spends
significantly more time
using mobile devices at
work
That the sum of
hours spent using
devices at work
totals almost a full
calendar day
implies significant
multi-tasking and
the
interchangeability
of the devices
Source: LexisNexis / WorldOne Research
12. Media accessed via these devices are nearly at full
penetration among Gen-Y-ers, and enterprises are
adopting them too
20
40
60
80
100%
H
ong
Kong
97%
N
etherlands
95%
France
93%
U
SA
92%
Turkey90%
C
hile
88%
Brazil
75%
R
ussia
73%
South
Africa
61%
Argentina
58%
Gen-Y: Are you a member of an online social network?
(Facebook, Bebo, MySpace, etc.)
Selected Countries
Sourc: PricewaterhouseCoopers, Deloitte
Penetration of Corporate Social
Networking
We post corporate videos
on YouTube
13%
Our CEO has a Twitter
profile
14%
We use social networking
for recruiting purposes
23%
We utilize social networking
as a tool to manage and
build our brand
29%
Social networking is part of
our business and operations
strategy
30%
Our CEO is on Facebook 31%
13. Consumerisation of IT, will shift power from the company to
the individual – security strategy must evolve accordingly
Employees bring personal
technology to the workplace
– Companies are forced to embrace consumer
technology, and find scalable ways to manage the
multiplicity of devices (BYOC, desktop
virtualization, etc.)
– Companies are forced to develop policies and
approaches for managing online risk pertaining to
confidential information, brand, etc.
– Business takes ownership of online processes,
end user devices and associated risk, with IT
providing guidance and tools
Employees manage
reputation, personal brand,
job searches etc. online –
often via virtual identities
Businesses increasingly
leverage consumer
technologies for corporate
purposes
• IT / CISO are no longer all-knowing authoritiesIT / CISO are no longer all-knowing authorities
• Some security vulnerabilities move from “forbidden” to “manageable”Some security vulnerabilities move from “forbidden” to “manageable”
• Business takes responsibility for actions of employeesBusiness takes responsibility for actions of employees
15. Managing Risk and Threats
15
No clear visibility to
threats and exposures
Inability to adequately
address exposures
Slow to respond
16. The CSO’s Challenge: Can they answer?
Am I secure?Am I secure?
Am I compliant?Am I compliant?
Where do I have gaps?Where do I have gaps?
How do I prioritize?How do I prioritize?
17. Managing Security with Accelerating Threats, Evolving
Technologies, New Business Models …
… is not easy
• Information growth
• Mobility, virtualization & cloud
• Evolving threat landscape
• Collaboration / Exchange
Agency Staff Privileged Users
-Business
Analytics
-Electronic
Health Records
-Replica
-Backup
Disk
-Backup Tape
-SharePoint
Room, etc.
-File Server
-Disk
Arrays
-Production
Database
-Physicians
-Clinical
Users
Apps/DB StorageFS/CMSNetworkEndpoint
Endpoint
theft/loss
Network Leak
Email-IM-HTTP-
FTP-etc.
Privileged
User Breach
Inappropriate
Access
Tapes lost or
stolen
Data Leak
Public
Infrastructure
Access Hack
Unintentional
Distribution
(Semi)
Trusted User
Misuse
Discarded
disk exploited
-Patients
Remote Employees
Channels
VPN
Partner Entry Points
Partners
Channels
Customers
Channels
Partner Entry Points
Privileged Users Privileged Users Privileged Users
19. Security Trends -The World Has Changed
Perimeter
Static
Point Products
Bolt On
Intrusion Detection
Visible
Transactional
Dynamic
Ecosystem Solutions
Embedded
Content Oriented
Seamless / Transparent
History
(Outside–In)
Today / Future
(Outside–In + Inside-Out)
20. Summary
As Generation Y join the workforce, the means by which
we secure, not only them, but our enterprises must adapt
accordingly
Static, perimeter centric controls will be insufficient in a
socially connected, consumer driven, virtualised, cloud
based environment
Security must evolve to be;
• Risk based
• Information Centric
• Adaptive
• Intelligent
In this siloed environment, can you answer these four questions.
Am I secure?
Am I compliant?
Where do I have gaps?
How do I prioritize
… [from III slides] Risks that are changing, growing and getting exploited with increasing efficiency by threats originating both inside and outside the organization.
From lost or stolen laptops
To fraud and customer entry points
To privileged user breaches
To lost or stolen backup tapes
Believe it Or Not
· Hackers are increasingly targeting healthcare and medical facilities. According to the San
Diego-based nonproft organization Identity Tef Resource Center (ITRC), healthcare was
responsible for 20.5% of exposed records in 2008.
This totals more than 7 million records — and is the second highest percentage, behind only the government/military sector. It is partly
because this sector is an easy target with lax security controls and partly because the rewards
of breaking into healthcare systems are increasing as healthcare providers keep a number of
records in electronic form.
July 24, 2009, Forrester, Healthcare Security: Ready Or Not, Here It Comes by Khalid Kark