During the past two weeks, IT security managers have been getting a new warning that turns the old '60s hippie slogan -- "Never trust anyone over 30" -- upside down. The new message: Twenty-somethings are putting the corporate network at risk.
Since Nov. 5, three separate studies -- from Accenture, Intel, and ISACA, a major IT users group -- have indicted the youngest generation of employees as one of the enterprise's newest and most serious security risks. People under the age of 28 -- sometimes called Generation Y and sometimes called Millenials, depending on how you define the category -- are engaging in online behavior that could expose their organizations to data leakage and information theft, the studies say.
The Accenture study, published two weeks ago, queried more than 400 students and employees ranging from age 14 to age 27. It found that more than half (60 percent) of young people "are either unaware of their companies' IT policies or are not inclined to follow them."
"When asked which technologies they currently use or access for work-related activities that are not supported by their employers, mid-Millennials [respondents aged 18 to 22] cited mobile phones (39 percent), open source technology (19 percent), instant messaging (27 percent), online applications (12 percent), and social networking sites (28 percent)," Accenture says. "Similarly, they regularly download non-standard technology from free public Web sites such as open source communities, 'mashup' and 'widget' providers."
"The message from Millennials is clear: To lure them into the workplace, prospective employers must provide state-of-the-art technologies," says Gary Curtis, managing director of Accenture Technology Consulting. "And if their employers don't support their preferred technologies, Millennials will acquire and use them anyway. In order to acquire and retain the best talent, organizations must understand the technologies that the new workforce expects -- and then find a way to support their employees without compromising enterprise security."
In a study published Nov. 13, Intel and the research firm of Penn Schoen & Berland Associates offered similar conclusions. The survey of IT professionals indicates that while younger employees are having a positive impact on the enterprise and its use of cutting-edge technology, they also create a new security risk. About half of the respondents regard Generation Y as a serious security concern, according to the study.
Younger employees' propensity to download non-sanctioned applications and social media tools was one of the chief reasons cited for IT professionals' concern. Risks posed by social networking sites such as Facebook and MySpace were the most frequently mentioned, according to the study.
Interestingly, the Intel study suggests that many IT organizations are changing their behavior to accommodate the younger employees, rather than the other way around. Nearly 30 percent of the IT pros surveyed said they have changed their IT policies to meet the demands of Gen Y, allowing employees to access their work e-mail from noncompany smartphones or other devices and, in some cases, relaxing their rules surrounding the use of social networking sites.
Some respondents to the Intel survey said they believe that tools for controlling or blocking access to certain applications or sites might be effective in controlling the Gen Y problem. Others said they will look toward tools that monitor employees' online activity and flag risky behavior.
In a study published last week, IT professional association ISACA focused its attention on online shopping at work, which is a common IT concern as enterprises approach the holidays. The study, which surveyed 973 consumers and more than 3,100 IT professionals, indicates that 63 percent of employees plan to shop online from their workplace computers. Like the other researchers, ISACA found that the greatest danger from online shopping behavior comes from Millenials -- those in the 18 to 24 age bracket. Forty percent of Millenials in the survey said they will spend up to five hours doing online shopping from their desks this holiday season. Ironically, this group is the least concerned about the security of their work PCs; almost half said they pay more attention to the security of their home machine than to the security of their office machine.
"This survey clearly shows that younger employees are more likely to engage in online activities at work that put a business' IT infrastructure at risk," said Kent Anderson, a member of ISACA's Security Management Committee. "The fact that [they] are planning to spend the equivalent of more than half a work day doing holiday shopping from their work computer, combined with their lack of concern for how secure their computer is, points to an urgent need for employee education."
When end users give their workplace e-mail address to an online retailer, they can leave the enterprise network open to a variety of threats, ISACA observed. "Yet more than two in 10 (22 percent) respondents have clicked on an e-mail link to go to a retailer's Web site from their workplace computer, and used their company e-mail address as the contact for a purchase," the study says. "In addition, one in four (26 percent) respondents either does not check -- or is unsure how to check -- the security of a site before making a purchase."
In a parallel survey of IT professionals, ISACA found that nearly half (46 percent) believe that their companies will lose an average of $3,000 or more in productivity per employee from online holiday shopping at work. More than half (55 percent) also reported that their company permits workers to shop online, but has no strategy for educating them about the risks.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message