Young people to IT security: ‘What, me worry?’

Don’t tell my daughter I was talking about her behind her back, OK? A couple of weeks ago, she spilled a drink on her MacBook Pro’s keyboard. We’ve all done that. It happens. But as we discussed the damage, I assured her that, worst case, she could move her backed-up files to her new machine. Back up? Uh oh. Not only does she not back up, but the Wi-Fi network in her apartment is not secured and she uses the same weak passwords over and over.

You might wonder why I’m telling you this. It’s because a survey of young professionals and college-age students conducted by Cisco Systems confirms that my daughter’s behavior is all too common. As the Baby Boomers retire, their jobs in business will be taken by the millennial generation, who are going to be a handful for IT. And all too often, IT responds with the equivalent of “Get off my lawn!”

[ Learn about consumerization of IT in person March 4-6, 2012, at IDG’s CITE conference in San Francisco. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld’s 29-page “Mobile and BYOD Deep Dive” PDF special report. | Keep up with the key tech news and analysis with the InfoWorld Daily newsletter. ]

According to the survey, which included 2,800 young adults, students, and employed white collar types across 14 countries, 7 out of 10 young employees frequently ignore IT policies, and 3 of 5 employees believe they are not responsible for protecting information and devices, believing instead that IT and service providers are accountable.

What does this mean for you as someone who is responsible for running and securing a network? In my opinion, it’s yet another wrinkle in the ongoing consumerization of IT. Young people may well have been sloppy and loathe to follow rules in the past, but fallout from those bad habits was buffered by IT’s iron control over the infrastructure. No one had smartphones to misuse, and there was no Facebook or Twitter or Google+ to become a security hole. (Facebook’s security, by the way, is a disaster waiting to happen.)

There’s another issue, and it’s more subtle. Modes of attack on corporate networks are shifting rapidly away from mass assaults on millions of computers to thrusts targeted at particular individuals, says Paula Musich, a security analyst with Current Analysis. Employees who are active on social networking sites, for example, and carelessly let on where they work or what they know will be noticed and targeted, she says. “Hackers will use them to gain entry into the system and work their way up” to more senior people and parts of the network containing sensitive information, she tells me.

The new generation gap The digital generation gap is also an issue for broader levels of management, including HR. The best and brightest potential hires have not only grown up using computers and other digital devices, they consider access to the Web and social networking services a basic right.

I’ve seen surveys in which young people say they’d prefer not to eat to not being able to use their iPhones.That’s obviously youthful hyperbole, but if you restrict them too much, they’ll refuse to work for you. Additionally, if they sign on, they’ll be out the door in a hurry when you won’t let them use their iPad or Galaxy.

Interestingly, only 10 percent of the employees surveyed said that tablets and so on are prohibited. I wouldn’t extrapolate from that number to conclude that 90 percent of global businesses allow tablets, but it is a sign that many — perhaps more than we think — have let them in the door.

About one-third of the young workers said their companies do not allow the use of social networking sites and tools. That problem extends beyond the happiness of those employees. Like it or not, social networking is a critical communications and marketing tool; companies that don’t understand it are handicapping themselves.

Of those who were aware of IT policies, 7 of every 10 employees worldwide admitted to breaking policy with varying regularity. Among many reasons, the most common was the belief that employees were not doing anything wrong (33 percent); 1 in 5 cited the need to access unauthorized programs and applications to get their job done, while 19 percent admitted the policies are not enforced.

I’m a believer in personal responsibility; if a policy is there for a reason, it should be respected, even if nobody is watching. But when a law is flouted with such regularity, there’s either something wrong with the law or someone has failed to do a decent job explaining its importance.

It would be tempting for us graybeards to dismiss the study, saying that young people are always a pain. Or you could sniff and say that Cisco is simply trying to scare businesses into buying more security. That may or may not be true, but if IT management understands that the consumerization of IT is real, it’ll put aside its middle-aged preconceptions and get with the program — the new program, that is.

I welcome your comments, tips, and suggestions. Post them here (Add a comment) so that all our readers can share them, or reach me at bill.snyder@sbcglobal.net. Follow me on Twitter at BSnyderSF.

This article, “Young people to IT security: ‘What, me worry?’,” was originally published by InfoWorld.com. Read more of Bill Snyder’s Tech’s Bottom Line blog and follow the latest technology business developments at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.