Millennials a threat to federal IT security — report

Millennials are engaging in risky digital behaviors that could significantly jeopardize federal IT systems’ security as more of them enter the government workforce, a new Forcepoint survey concludes.

Millennials are engaging in risky digital behaviors that could significantly jeopardize federal IT security as more of them enter the government workforce, a new Forcepoint survey concludes.

Nearly a quarter of the 702 employed millennials polled downloaded company files and third party apps to personal devices without notifying IT. And while the majority of millennials said they understand and use strong passwords, 42 percent said they used the same password for multiple systems and apps, according to the report.

Moreover, Forcepoint’s survey showed only 33 percent of those polled use secure passwords for all of their accounts. Other research has shown that ratio for baby boomers is a little more than half.

“The research shows quick action is needed to prevent a generational shift from upending federal agencies’ current cybersecurity postures, as hundreds of thousands of baby boomers reach retirement eligibility in the next year,” the news release reads.


But what to do about it? The report notes that it’s already hard enough to recruit millennials, and on top of that, their “potentially risky behavior is also what makes them successful and efficient at multitasking and raising their job performance.”

“On average, millennials are able to maneuver 27 times per hour among tools such as their phones, tablets, computer and television, demonstrating a comfort level with technology that boomers never had,” the report says.

Forcepoint’s report recommends developing policy that conveys a “fresh sense of relevancy and currency to today’s workforce,” noting that “old style government directives with ‘thou shalt not …’ wording won’t resonate.”

“Millennials will ignore them,” the report adds. “Instead, when they understand and respect the rules, you can be ‘noisy’ about your security policies as you enforce them.”

Forcepoint, a cybersecurity firm, defined millennials for the sake of the survey as those born between 1977 and 1994.


It should be noted that only some of the millennials surveyed work in government, and it is unclear what the numbers would show for those specific federal employees. A breakout of behaviors specific to government-employed millennials surveyed was not available.

“The goal was to examine a wide pool of commingled government and non-gov millennials to gauge behaviors, and forecast the attitudes/preferences that are going to be more prevalent in government agencies, as government millennial populations expand,” a Forcepoint spokesperson said in an email.

Indeed, Forcepoint notes millennials are a quarter of the government workforce now, but that is expected to rise to nearly 75 percent of the workforce by 2025.

Other stats in the report were striking, such as the finding that a little less than half of the millennials surveyed said they did not have any security training. Likewise, 16 percent said it is exclusively the IT department’s job to protect them from security threats.

A small number of government chief information security officers who were also interviewed for the report said that “from a basic security protocol and control perspective, nothing new is being done to specifically address incoming millennials’ elevated risk profiles. Rather, policy changes are more related to flexible scheduling and the accessing of corporate information on mobile devices.”


Nearly two-thirds of people polled “use their personal devices for both their personal lives and work,” according to the report.

It also notes that while CISOs said their millennial employees are “hesitant to use corporate devices,” many agencies still do not allow employees to use personal devices.

“Security protocols that work with millennials’ behavioral patterns will be more effective than those that they would consider too onerous to follow,” the report notes, adding that “A clear and reasonable [Bring Your Own Device] policy, for instance, along with tools that provide greater visibility through behavioral monitoring, remain essential for any successful insider threat program.”

Samantha Ehlinger

Written by Samantha Ehlinger

Samantha Ehlinger is a technology reporter for FedScoop. Her work has appeared in the Houston Chronicle, Fort Worth Star-Telegram, and several McClatchy papers, including Miami Herald and The State. She was a part of a McClatchy investigative team for the “Irradiated” project on nuclear worker conditions, which won a McClatchy President’s Award. She is a graduate of Texas Christian University. Contact Samantha via email at, or follow her on Twitter at @samehlinger. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts