Gaining unauthorized Internet access and hiding your tracks have become common skills for a whole generation that feels information and communication should be free, even at work.
Cisco recently released its 2011 Connected World Technology Report which surveyed the world’s next generation workforce, and included the views of approximately 3,000 college students and young professionals in response to the following two questions:
Is the Internet a fundamental human necessity?
Is a workplace with flexible mobility policies as valuable as salary?
The findings were striking, and give a unique glimpse into the techno-savvy and media-saturated mind-set held by our younger generation, who have no recollection or collective memory of a world not ubiquitous with mobile communications and the Internet, and see these as a natural human right. The meme of Internet Access as a Human Right has of course held high currency this year, and has taken on a special meaning due to the Arab Spring uprisings and the tactical and strategic role that the use of social and other Internet media played in those tumultuous events. I tend to favour focusing on providing water and other, real necessities (try living without the Internet for a week, and then without water, and see which one is worse) first, before we begin rolling out fibreglass to every village and slum in the world, but we should still take note that a large swathe of our youth feels this way.
We need to take note, because of how these attitudes translate to action in the real world. A summary of the pertinent points from a security and risk perspective, and the findings on following I.T policies should be enough to keep you awake at night:
"Of those who were aware of IT policies, seven of every 10 (70%) employees worldwide admitted to breaking policy with varying regularity. Among many reasons, the most common was the belief that employees were not doing anything wrong (33%). One in five (22%) cited the need to access unauthorised programs and applications to get their job done, while 19% admitted the policies are not enforced. Some (18%) said they do not have time to think about policies when they are working, and others either said adhering to the policies is not convenient (16%), they forget to do so (15%), or their bosses aren't watching them (14%).”
70% of the surveyed participants admitted to breaching the I.T policy. On purpose and knowingly. This of course also applies to the Security Policy, or rather, especially to the Security Policy, and thus to the cornerstone and foundation of your entire Cyberdefense Strategy. Nor is this done out of total ignorance, as there is awareness that the policy has been ignored, but it is “not convenient” or “their bosses aren’t watching them” anyway. It seems that they are regarded as mere trivialities with little to no awareness of why the policies exist or what purpose they serve.
19% also admitted that the policies are not enforced, whether technically or bureaucratically. I would actually argue that that number is actually far higher, if we take into consideration that there appears little concern for being caught or disciplined. Many breaches would not be possible in the first place if policies were sufficiently monitored and enforced. Why is someone even able to install their own 3rd party software if it is not permitted? Why are they able to access sites they are not supposed to? The technical solutions and approaches to manage and enforce such policies are not new or novel. This highlights that a policy by itself is about as effective as wishing on the evening star if it is not backed by action.
At first glance, the survey implies that Generation Y is in some way less security savvy, or at least, less security responsible, than their older contemporaries. This is of course a huge oversimplification. Similar studies with other age demographics do not really show any noticeable improvement due to age or generational differences. Imparting any real sense of the risks involved appears to be the real challenge, because Users still believe that they know better, leaving many security stakeholders with the feeling that their users are like chimpanzees playing with a virtual loaded revolver. Nor are most businesses themselves exempt either. Security awareness is a general deficit. You cannot realistically expect your employees to be more security aware than your management, or the company in general.
The real difference is that Gen Y grew up immersed in this technological Wonderland that we call the 21st century. Compared to just a decade ago, basic hacking skills are widespread and now barely seen as such. Gaining unauthorized Internet access and hiding your tracks have become common skills for a whole generation of young people that feels that information and communication should be free, even at work. It is this sense of entitlement that will be hardest to manage. Not only are they willing to break the rules with no further afterthought and without fully understanding the consequences, they may just have the means at their disposal to do so, potentially making them Generation InsecuritY.
The 2011 Cisco Connected World Technology Report is available here in PDF format.