Newly hired college grads are a particular security risk to your organization, and special measures need to be taken to manage this "graduate risk."
That's the view of Jonathan Levine, CTO of Intermedia, a Calif.-based cloud services provider whose customers employ many recent graduates.
"The problem is that new graduates are often very computer savvy, but unfortunately they are not enterprise savvy," he says. That's different to what was the case in the past certainly when many current CIOs took their first jobs where most graduates knew nothing about computers or the security requirements of the organizations they were joining.
He points out that from middle school or even earlier students use apps to do their school work, and use various services to share documents. But they are rarely educated about corporate requirements like information security and confidentiality.
"Coupling a technical literacy in tools like Dropbox and Snapchat with a naiveté about the way that enterprises need to operate is a dangerous combination," Levine warns.
That means it's your IT department's or security team's responsibility to provide security education to graduates. This should warn them of the dangers of using consumer services, such as cloud storage or webmail, that generally offer inadequate auditing, management capabilities and security for use in an enterprise environment.
"Data loss is a big risk that graduates can introduce when they come from an academic environment," Levine says. "They come from an environment where information wants to be free and open source programming is common, to the corporate world where we want some sorts of information to be free and some definitely not to be free.
"We may want information to be shared, but we need to be able to know who is accessing it," he adds.
Graduates also introduce a disproportionate risk that information useful to hackers may be shared on social media services such as Facebook or Twitter. That's simply because they're accustomed to using these services without thinking about the security implications of what they're making public.
While educating graduates is key, making sure that they put what they learn into practice is also important. Here are six ways you can help ensure that this happens:
1. Judge graduates on the security they practice. Newly hired graduates usually undergo some sort of appraisal or performance review process on a regular basis. This provides the opportunity to make security and adherence to security practices a goal that new hires can be evaluated on.
2. Gamify security. Despite the name, this does not involve turning security into a game. Rather, it involves running incentivized security awareness programs.
This approach encourages graduates to attend security courses or gain security qualifications which may just be internal courses or qualifications run or awarded by the IT department.
Sign up for MIS Asia eNewsletters.