Gaining unauthorized Internet access and hiding your tracks have become common skills for a whole generation that feels information and communication should be free, even at work.
Cisco recently released its 2011 Connected World Technology Report which surveyed the world’s next generation workforce, and included the views of approximately 3,000 college students and young professionals in response to the following two questions:
Is the Internet a fundamental human necessity?
Is a workplace with flexible mobility policies as valuable as salary?
We need to take note, because of how these attitudes translate to action in the real world. A summary of the pertinent points from a security and risk perspective, and the findings on following I.T policies should be enough to keep you awake at night:
“Of those who were aware of IT policies, seven of every 10 (70%) employees worldwide admitted to breaking policy with varying regularity. Among many reasons, the most common was the belief that employees were not doing anything wrong (33%). One in five (22%) cited the need to access unauthorised programs and applications to get their job done, while 19% admitted the policies are not enforced. Some (18%) said they do not have time to think about policies when they are working, and others either said adhering to the policies is not convenient (16%), they forget to do so (15%), or their bosses aren’t watching them (14%).”
70% of the surveyed participants admitted to breaching the I.T policy. On purpose and knowingly. This of course also applies to the Security Policy, or rather, especially to the Security Policy, and thus to the cornerstone and foundation of your entire Cyberdefense Strategy. Nor is this done out of total ignorance, as there is awareness that the policy has been ignored, but it is “not convenient” or “their bosses aren’t watching them” anyway. It seems that they are regarded as mere trivialities with little to no awareness of why the policies exist or what purpose they serve.
19% also admitted that the policies are not enforced, whether technically or bureaucratically. I would actually argue that that number is actually far higher, if we take into consideration that there appears little concern for being caught or disciplined. Many breaches would not be possible in the first place if policies were sufficiently monitored and enforced. Why is someone even able to install their own 3rd party software if it is not permitted? Why are they able to access sites they are not supposed to? The technical solutions and approaches to manage and enforce such policies are not new or novel. This highlights that a policy by itself is about as effective as wishing on the evening star if it is not backed by action.
At first glance, the survey implies that Generation Y is in some way less security savvy, or at least, less security responsible, than their older contemporaries. This is of course a huge oversimplification. Similar studies with other age demographics do not really show any noticeable improvement due to age or generational differences. Imparting any real sense of the risks involved appears to be the real challenge, because Users still believe that they know better, leaving many security stakeholders with the feeling that their users are like chimpanzees playing with a virtual loaded revolver. Nor are most businesses themselves exempt either. Security awareness is a general deficit. You cannot realistically expect your employees to be more security aware than your management, or the company in general.
The real difference is that Gen Y grew up immersed in this technological Wonderland that we call the 21st century. Compared to just a decade ago, basic hacking skills are widespread and now barely seen as such. Gaining unauthorized Internet access and hiding your tracks have become common skills for a whole generation of young people that feels that information and communication should be free, even at work. It is this sense of entitlement that will be hardest to manage. Not only are they willing to break the rules with no further afterthought and without fully understanding the consequences, they may just have the means at their disposal to do so, potentially making them Generation InsecuritY.
The 2011 Cisco Connected World Technology Report is available here in PDF format.
Related: How Logging On From Starbucks Can Compromise Your Corporate Security