Tech-savvy Generation Y workers can be an advantage in the enterprise, says James Beeson, CISO at GE Capital Americas. Marcos Colón reports.
Last year, when James Beeson’s son was at Texas Tech University, studying to become an engineer, he came across a calculus problem that had him stumped. So, the 20-year-old did the only obvious thing a shrewd college kid would do: He asked his family and friends for help – without exerting too much effort.
So rather than going through the manually intensive process of reaching out to each person one by one, he took a high-resolution picture of his laptop screen, and sent the photo in a group text message to everyone.
Beeson was impressed by his son’s ingenuity and efficiency. But the CISO and IT risk leader at GE Capital Americas since 1997, a commercial financing and leasing provider, also knew it underscored how a younger generation of users thinks and operates, the type of mindset that could introduce security risks to employers.
“I think they’re so used to sharing and so used to having a much more open environment, that they’re used to going wherever they need to get things done, without necessarily thinking about the ramifications of the data they may be creating,” Beeson says.
With nearly 15,000 endpoints, many of them bring-your-own-devices (BYOD), deployed in GE Capital Americas, Beeson deals with many employees who resemble his son in terms of IT practices. Whichever way you like to refer to them – digital natives, millennials, Generation Y – there has been a steady influx of young, tech-savvy individuals entering the workforce. And because text messaging and web surfing is all they’ve ever known, their inclination to adhere to an organization’s security policies and guidelines may not be as firm as their predecessors.
“I don’t see [the way they act] as a problem,” Beeson (left) says. “I see it as a great way to solve problems collaboratively and quickly. What I do see, though, is that we’re not ready for it from an information security and data protection perspective.”
But thanks to his children, Beeson has been out in front of this new challenge, implementing forward-thinking security awareness training, acceptable-use policies and technology controls to help manage younger workers’ tendencies and their toys. “I’ve watched the way they have been brought up and have used technology and I’ve seen the shift,” Beeson says of his children. “I’ve also seen it at work with the younger generation that comes into the workforce.”
The challenge facing Beeson and many other security professionals was validated by Cisco’s recently finished “Connected World Technology Report,” whose respondents ranged from college students to young employees, ages 18 to 30, and IT professionals in 18 countries, including the United States. The data concluded that Gen Y tends to not be as compliant with security guidelines.
Seven of 10 employees admitted to knowingly breaking IT policies on a regular basis, and three out of five believed they were not responsible for protecting corporate information or devices from potential threats. And most worrisome of all, according to the findings, these respondents may be fully aware that they’re breaking the rules, but they do it anyway.
A majority of the risks associated with digital natives emanates from their use of social media, Chenxi Wang (right), the former vice president and principal analyst at Forrester Research, says. Seeing as they’ve grown up socializing online even more than in person, the lines are blurred when it comes to these platforms.
“It’s not in their DNA to think twice about posting something [work-related] on a public forum,” Wang says. “They’re not brought up to consider that there is certain information that should not be posted on places like Facebook and Twitter because they’ve always lived and breathed these platforms.”
Based on a Check Point study, the source of attacks causing most concern for this new breed of worker are social and P2P file-sharing networks, while email or phishing attacks remain problematic for the “baby boomer” generation.
It’s time for firms to make some adjustments to accommodate the advantages digital natives can bring, says Steve Durbin, global vice president of the Information Security Forum, a nonprofit organization that works with enterprises around the world to address security and risk management issues.
He says companies should focus on creating an environment that empowers, rather than limits, the abilities of Gen Yers. “It’s about enabling [them] to, dare I say it, have fun doing [their] job,” Durbin says.
But, there are risks that must be addressed. Wang points out that younger workers are tethered to their smartphones. And, with mobile malware increasing, a BYOD-friendly environment could be ripe for security incidents.
Once joining an organization that supports BYOD, an employee’s device will likely start touching sensitive data, something that they’ve never experienced before, says Domingo Guerra, president and CEO of Appthority, a San Francisco-based mobile application security firm.
“At home, everything they own, even if it’s quite personal, they didn’t consider to be sensitive data,” Guerra says. “They’ve shared their relationship status on Facebook. When they get to work, it’s a clash of culture because you can’t share everything you do at work with the world.”
However, Gen Y isn’t the only place to point a finger for its excessive use of mobile devices, says Zach Lanier, senior research consultant at Accuvant, a Denver-based firm that helps align IT security and business objectives. This phenomenon also extends to the so-called consumerization of IT. “These are not just corporate email devices anymore,” Lanier says. “They’re gaming and social media devices. The phone is not the main feature anymore.”
Beeson agrees. He says that in the 1980s and 1990s, business was driving the consumer world, and whichever technology or software tools were purchased for use at home was based on what was used in the office. But that’s changed. “Now it’s the consumer who is driving what we use at work,” he says.
Aside from sharing personal information via their mobile devices, millennials also may fall victim to malicious applications. According to a recent study from NQ Mobile, the most common method used by malware authors to compromise data on mobile devices is through “app repackaging,” disguising malicious apps that are downloaded onto smartphones as legitimate ones.
“If you look solely at the choices that they make and the proclivity that they have to install random applications on their phones without thinking about what the permission prompts mean, and what communication channels that might offer a malicious actor, then I might say maybe they’re not so security savvy,” Lanier says.
However, he adds that the answer doesn’t lie in creating closed environments or placing endless limitations in terms of an organization’s BYOD strategy. Instead, Lanier says there should be a requirement for digital natives to have to opt in to the policies set in place for an enterprise’s BYOD environment.
“If you agree to bring your cool, shiny, new device and hook it up to our network, the compromise is that you have to accept that we will exhibit some control over that,” Lanier says.
Productivity versus security
Appthority’s Guerra adds that a locked-down environment is not the way to go, seeing as it won’t jibe with younger employees and could limit their productivity. Instead, he views their ability to use collaborative tools, both on desktops and mobile devices, as a major benefit for organizations.
“The young generation is great at working in teams and collaborating online,” Guerra says. “You are able to keep people happier if they have the tools they feel will make them productive. Gen Y is not dumb. They just don’t know what a risk is and why it’s a risk. If you give them the tools and information, they’ll most likely be more compliant.”
While there are challenges that come with employing a nascent workforce, there’s no denying the benefits they offer enterprises.
According to the previously mentioned Check Point survey on Gen Y versus baby boomers, only 31 percent of Gen Y respondents ages 18 to 25 believe that security is more important than productivity. While this may seem like an unattractive statistic for security professionals, Beeson says the level of productivity digital natives offer organizations far outweighs the risks.
“They’re timely, but not time managed,” he says. “They don’t care about working in an environment that’s nine to five. They share knowledge constantly.”
But, to enable this brand of worker to reach maximum productivity, it must be given the proper tools. A study conducted by Johnson Controls Global Workplace Innovation, which surveyed 2,800 digital natives, revealed that 77 percent of respondents believe advanced technologies in their workplace are “important” to “very important.”
Durbin says that a majority of Gen Y employees think IT departments are slow to pick up on the latest trends and developments in technology.
“It’s all about speed, [the] latest technology and the tools as a means to get the job done,” Durbin says. “I think if you look at that perspective and compare that with the kind of environments that we see in most large enterprises, you can begin to understand some of the pinch points that are going to exist as Gen Ys become more prevalent in the workplace.”
Turn back the clock
According to Beeson, the perceived IT needs of younger staff can coexist with the data security and privacy requirements that companies face, but it comes down to understanding the behaviors and needs of millennials. To do so, he recommends that security practitioners find their own “digital mentors,” much like his own children are to him. It could be a young employee at an organization, or one’s own son or daughter.
“Coach them and let them coach you,” he says. “Getting that understanding makes a big difference in how you can actually leverage and use the devices and technology to your advantage the way that they use them.”
While Beeson says there’s certainly a gap that needs to be bridged in the enterprise between millennials and boomers, he says education may be the answer. Security professionals need to start thinking more about the access needs of their colleagues, without having a close-minded approach to security.
“Try and educate the ‘digital immigrants’ on how the digital natives act, work and play, and try to educate the digital natives on why there are risks,” he says.
There’s no way around dodging the wave of talent that’s flooding into the workplace, Beeson says, and IT must start thinking about ways to embrace it.
“If we want to go higher and bring on the best and brightest into our companies, we’ve got to understand this and figure out ways to use it,” he says.