Why Security Does Not Concern Generation Y

Security Not A Concern for Most Gen Y'ers Generation Y users don't think much of their IT departments' policies. Here's why.

Cisco's third and final installment of its 2011 Connected World Technology Report features a survey of 1,400 18-to-24 year olds with results that are challenging, if not frightening, for the IT department.

Of those surveyed, four in five think their company's policy on social media and device usage is outdated, seven in 10 admitted to knowingly breaking IT policies on a regular basis, and three in five believe they are not responsible for protecting corporate information and devices.

We know from previous Cisco surveys that the generation entering the workforce has a heightened level of expectations for Internet access and social media. These young workers want to use their own devices and often are willing to take positions that might pay less if they are allowed to bring their own gadgets to work.

The latest survey reveals that this same group--the so-called Generation Y or Millennials who have grown up with the Internet--is more likely to share personal information online, is far less security conscious than is required for the enterprise, and has an "Internet at any price" mentality.

According to Cisco, "such behavior includes secretly using neighbors' wireless connections, sitting in front of businesses to access free Wi-Fi networks, and borrowing other people's devices without supervision." That's good news for snoopers who set up Wi-Fi Honeypots to capture unwitting users' data.

What's most disturbing, and maybe it's because I work in IT, is how 36 percent responded negatively when asked if they respect their IT department.

The study didn't address why users disregard security best practices but with this Internet-at-any-cost attitude, the risks of being a target are outweighed by their need to connect. They assume it's an acceptable risk and because data theft doesn't advertise itself, they feel no sense of danger.

Some data theft does advertise itself. For example, we've all experienced at some point the fake antivirus software that pops up telling us we have 30 Trojans and if we buy their software for $39, they'll remediate it. Of course they'll max out our credit card as well. Fake AV software accounts for approximately 20 percent of malware infecting PCs. But the other 80 percent is hidden as keyloggers, or bots stealing far more than just one credit card.

Keylogging is not exclusive to PCs, either. Carrier IQ software is installed on more than 141 million mobile phones; it tracks GPS location, websites visited, search queries, and all keys pressed. On a smaller scale, a user can install a keylogger on another user's phone.

How awkward would it be to tell a colleague whose phone battery died that you won't loan him your phone for a few minutes? But in those few minutes an off-the-shelf keylogger just like the one IQ uses could be quickly installed. Designed for parents and cheating spouses, it works just as well for industrial espionage.

So there's a coming clash of cultures between these new workers and IT. There is a fear--real or imagined--among hiring managers that if they can't provide young recruits with the tools they want the way they want, the best and brightest will go elsewhere. At the same time, the IT department is under internal and external pressures to secure ever-growing amounts of increasingly fluid data.

It's no wonder why new users disrespect IT. It's the IT department who is breaking the promises of the hiring managers. IT is the chaperone at the party. Yet the consequences of data loss still fall to IT. While we are still in the transition phase of self-provisioned devices and services, we are not yet transitioning the responsibility to the user. Right now if data is lost, it's often assumed that IT didn't adequately protect it.

So what to do? Part of IT's responsibility to steward consumerization of IT is to educate the user and HR on the greater risks that come with consumerization. If IT departments are just now coming to grips with consumerization trends, then HR departments are completely in the dark about it. (Think of your own HR department.)

HR must be involved in crafting the IT security policy. While IT struggles with the ever-changing methods to secure and protect data, it leaves HR to manage the human side of it, including punitive actions. It also better prepares HR during the hiring process so they and IT are working in concert.

Embracing the consumerization of IT (CoIT) is trendy, but embracing is easier said than done. Things get sticky in day-to-day operations and enforcement, and one needs to take into account a workforce that won't respect basic security practices and doesn't respect the IT department.