Securing the Modern Enterprise - Minimizing Cyber Risks Brought on by Hiring Recent Graduates
With graduation season coming to a close, many companies are welcoming the latest class of college graduates or are preparing to do so in the Fall. While these newcomers are a welcomed addition to any organization, many of them will be bringing much more than their skills and experience to the workplace; they will be bringing a low level of cybersecurity awareness.
From reusing passwords across multiple platforms, to accessing public Wi-Fi networks without due care to leaving their work laptop in an Uber or an airport, these new entry-level hires can lead to your company’s information being compromised.
In order for organizations to successfully mitigate the risks inherent to welcoming recent college graduates to the company, it is crucial that HR executives integrate the IT team into the onboarding process. This can take the form of briefings to familiarize new hires with company security policies, and educational sessions designed to empower them to recognize and handle security threats that are common in the workplace. Cybersecurity awareness is not just a 9 to 5 concern for your employees; it’s a 24/7 constant for anyone that uses the Internet; and nowadays, that’s pretty much everyone in the world.
Here are four essential components of any cybersecurity training program:
1. Beware of phishing attacks
One of the major threats facing employees are phishing attacks. Phishing is an attempt to acquire sensitive information such as usernames, passwords, and credit card numbers by masquerading as a trustworthy entity. Phishing is typically carried out via email or instant messaging, and it often directs users to provide sensitive info as a reply to the original request, or by entering details into a fake website.
A form of phishing that is currently very common is whaling, which are phishing attacks that masquerade as legitimate requests sent by high ranking company personnel, typically the CEO. These type of attacks can be very effective against those entering the workforce for the first time that are eager to make a good first impression with the higher ups.
2. Safeguard corporate devices
Safeguarding company laptops, mobile devices, and other company issued hardware is also an important topic to cover. All employees should be trained to keep a careful watch on company devices in airports, rideshares, and coffee shops to prevent theft. Likewise, they should avoid leaving company devices unattended in the office, especially in open workspace environments. It’s not unheard of for clients, suppliers, and visitors to come in and out of the office, so there is a risk that company information could end up in the wrong hands.
For many of these entry-level hires, company issued devices will be an “upgrade” from whatever systems they were using during their college years. It is not uncommon for personnel, whether recent grads or seasoned employees, to use these devices for personal purposes when they are commuting, at home, or on the weekend. Some companies might implement strict policies against this, but even if your company doesn’t, at the very least, you should make sure your employees understand the risks of sharing these devices with other family members. In other words, do not let them do this
3. Be thoughtful about what you share on social media
Actively using social media platforms today is as common as having an email account. You could argue that social media activity trends up the more recent an employee graduated college. It’s important for personnel to understand that they represent your company at all times, and any inappropriate posts can reflect negatively on the company.
Companies are also leveraging the widespread social media use to promote their messaging and improve their recruiting efforts. In addition to increasing the risk of an employee posting something inappropriate, there is also the risk of proprietary or confidential information being leaked on purpose or inadvertently. Bottom line, make sure your new employees understand how social media can impact both them and your company.
4. Keep Shadow IT from Hiding in the Shadows
While coaching employees on how to safeguard company devices, it is equally important for them to understand what software they will be using with said devices. Recent college graduates, arguably more so than other personnel, are accustomed to using their favorite messaging apps, productivity apps, and cloud storage services. If not instructed otherwise, your new team members might start using these out of habit without giving it a second thought. These solutions that are not provided by, or explicitly approved by, an organization’s IT department are referred to as Shadow IT.
It’s critical for entry-level employees to understand basic security risks, and why IT needs to be made aware of any systems being used to store or access company information. While Shadow IT can provide as a source for innovation, employees need to communicate with the company’s IT team before using “unofficial” technology solutions and services.
This is by no means an exhaustive list, but the key takeaway is that early and frequent cybersecurity training can be a game changer that will help you better manage risks brought on by hiring recent college graduates. Your HR team is already rolling out training as part of the onboarding process, so leveraging those efforts to deliver cybersecurity awareness training should not be a herculean effort. By taking a proactive training approach, your company can prevent the loss or exposure of sensitive company information and also empower new college graduates to deal with today’s more demanding cybersecurity landscape; at work, and at home.
About the Author
Alvaro Hoyos is the Chief Information Security Officer at OneLogin, the identity management provider bringing speed and integrity to the modern enterprise. The company’s portfolio of solutions secure connections across all users, devices and applications, helping enterprises drive new levels of business integrity. He has more than 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs and Fortune 500 companies with their compliance and data privacy objectives.
Edited by Peter Bernstein