1(630)802-8605 Ravi.das@bn-inc.net

I have to admit that back in February, I turned the mid-century mark.  Whenever people asked me back then how old I was, I simply told them that I was 50, nothing more, nothing less.  I know I am probably late to the game on these age names, but it isn’t until just recently that I have seen so much use of all of these age-related terms such as Millennials, Gen Z, Gen Y, Baby Boomers, etc.  And, it wasn’t until this morning when I was perusing the Cyber news headlines that I came across it.

This one dealt with Gen Z.  Not knowing what it actually meant, I looked it up, and it merely refers to those people who were born in between the mid 90’s and the mid 2,000’s.  This generation has been labelled as the youngest generation yet to be the most well versed in using wireless devices and social media.

So, you may get an idea where this going . . . at their age (at least on the date of this blog posting), and at this in time in particular, many people at this so-called age bracket are either looking for or have procured internships at companies.  Because they stay is so limited (probably at most 2 months or so), this young generation is now becoming as much of a security threat or more than the regular employees.

It is not that they are going to be Inside Attackers with a predetermined criminal intent; but rather, the fear is now that they are unintentionally revealing secrets about the companies that they are working for on all of the Social Media sites that they have access to. 

This includes the likes of Facebook, Twitter, Instagram, Pinterest, etc.  The biggest concern is that since this age group is so young and for lack of a better term, ignorant, the Cyberattacker will go after them and will be easily able to launch Social Engineering attacks, and even Phishing attacks against them.

This is all in the hopes of getting as much confidential information as possible, and of course, turning that into a money-making opportunity, primarily by selling this stuff on the Dark Web.  In fact, according to IBM’s X-Force Red team, they were even able to manufacture their own fake ID badge and gain access to a company while claiming to be an intern at that company.  Pretty scary, huh?

Apart from this, the X-Force Red team has even conducted their own research project onto some of the actual security threats that have been posed by the Generation Z employees.  This includes them posting stuff on Social Media like details about the office layout where they work at, proprietary company information and data, and even badge information and direct pictures on them. 

Apparently, even video blogging is a big thing with Generation Z.  Apparently, rather than writing about their experiences as a summer intern, they have now turned to the use of the camera on their Smartphone and actually recording a live video as to what they are learning. 

This then gets uploaded to other Social Media sites like You Tube and Snapchat.  Given this, the Cyberattacker does not even need to launch Social Engineering attacks, they can get all of their information that they need right here.

Or, the Cyberattacker can reach out to these individuals in an offline venue (not during official hours) and still ferret information from this young crowd.  According to the IBM team, they were able to successfully garner confidential information and data about these companies 75% of the time within just a three-hour time span. 

Even job boards like Glassdoor and Indeed are also getting the shaft as being security risks as well, because they very often post former employee reviews about the companies that they have worked for, and they also post various salary ranges and even potential interview questions. 

This is of course, can be crafted very easily into a Phishing Email by the Cyberattacker.  Worst yet, they can write the messaging in such a way that it can play on employee’s frustrations at the company they already work for, given the responses that have already been posted.

My thoughts on this?

Back when I was this age, the thoughts of even having a Smartphone, such as the old iPhone that I have now, was just a pipe dream.  I was even lucky to get to drive the family car when I got my driver’s license.  If I had to call my parents, I would have to ask a teacher for permission to use their traditional, landline phone. 

The times have certainly changed since then.  It has come to the point now where parents are even fearful of giving their kids a Smartphone until they hit college age, because they simply don’t want them to become couch potatoes and playing on their mobile devices all day.  This I totally support, even though I have no kids (all I have are three cats, and all they do is just sleep all day).

But back to Cybersecurity . . . the fears of Insider Attacks is something I have written several blog posts about.  I had mentioned that this is probably one of the most difficult forms of Cyberattacks to detect, because it could even be your happiest employee that is planning to launch something against your company.  But all of these blogs were in reference to employees that have already been working in a full-time capacity.

Now, Corporate America is dealing with something else . . . Insider Attacks from summer interns.  Yes, there is talk that you should provide all of your employees with security training and education into your policies as part of their onboarding process when they are first hired.  But you need to hold summer interns at a much higher level.

To be brutally honest, even if you train them, they probably won’t care.  They will still carry about their ways like they always have had.  But as a business owner, it is your responsibility to make sure that you keep a constant watch them.  Yes, this could be a waste of your time personally, but you could always assign your intern to a mentor who can keep tabs them, especially what they post on Social Media sites.

Of course, you need to warn them what the penalties are if they don’t abide by your rules.  But if they are consistently putting up stuff and content that you do not want them to, then simply terminate them, and find another intern.  Yes, this is a rather drastic step, but after all, you have to protect the IT Assets of your company.  And, by taking these kinds of drastic steps, this will also set forth an example for your full-time employees as well.

Really in the end, it’s a Catch-22, especially in the Cybersecurity industry.  Because of the severe workforce shortage, companies are hungry to bring on interns, so that they can train them in the hope of making them full time employees. 

But yet, they can also pose the biggest security threat.  More than likely, their actions are not intentional, but rather innocent in nature, as they want to simply boast about and share their experiences with their peers.  It’s only human nature to do so.

Finally, for the business owner, there are two ways you can protect yourself:

*Provide to your interns company issued equipment that are to be used during work hours – by doing this, you can install software onto them that will keep track as to how they are using them.  Warn them to never use their own devices for work related matters, and to take steps even further, have them store their personal Smartphone in a locker that you provide them with.  They can only get it during the lunch hours or after they leave work.  Sounds sort of drastic, but what other choice do you have in the matter?

*Always keep tabs on the activity of their Social Media sites and see what they are posting.  The minute you find something that is about your company, warn them immediately and ask them to take it down.

*Never, ever give your interns access to company owned Social Media websites (unless, of course, they are marketing interns).