Balancing Generation Y preferences with security

As young employees enter the workforce, so does a new round of security threats

As young adults who grew up on e-mail and online chat enter the workforce, they bring with them a set of newer technologies designed for rapid-fire communication and workplace personalization. Much of this technology may represent better, faster ways of getting a job done, but it also introduces a new round of security threats for corporate networks; and the decision to allow them or not must be made carefully.

These technologies --personal gadgets like MP3 players, thumb drives, cell phones and PDAs; real-time communication technologies like instant messaging and text messaging; and social-networking Web sites like Facebook and MySpace -- are part and parcel of the young workforce today, experts say. Called Millennials or Generation Y, this group is defined loosely as having been born between 1977 and 2002, and totals 70 million Americans -- a large percentage of whom are bound to have one of the 100 million iPods sold to date in their pocket.

Many Generation Y technologies may offer an improvement over today's status quo -- an instant message or text message is likely to get the recipient's attention more quickly than an e-mail that sits waiting to be checked in an in-box -- but they can introduce serious security threats to corporate networks, according to some security vendors.

For example, "the newer forms of attacks take advantage of Web sites with rich content and features: AJAX-enabled applications, embedded JavaScript, etc. These aren't really new technologies, but they're more pervasive now," says Paul Ferguson, network architect at Trend Micro. "And with components like Google Maps, where the processing is done on the PC instead of on the Web page, criminals are exploiting that avenue of content delivery. The ability for Web 2.0 applications to deliver that content is a Catch-22, because it also can allow you to be exploited."

For security professionals, it may seem that the prudent thing to do is to disallow the use of this kind of technology in the workplace: blacklist non-business-related Web sites; ban handheld or pocket devices from the workplace; require employees to use company-issued and maintained laptops, PDAs and cell phones. After all, as many as 40% of employee Internet activity is non-work-related, according to IDC.

Experts warn, however, that such stringent policies can have a negative effect on the workforce and its productivity, as well as the company's ability to attract and keep valued workers. "It's part of the way young employees have grown up, part of what they expect," says Tony Kerns, deputy managing partner with Deloitte & Touche. "The global pressure on the workforce right now is huge; people are drawn all over the world by great, interesting offers that are not just money but also a lifestyle."

Earlier this year, security vendor MessageGate, which makes e-mail management software and was spun out of Boeing in 2003, conducted a series of roundtable discussions with senior IT professionals and young adults entering the workforce to try to understand the issues around Generation Y technology.

One thing MessageGate learned is that younger workers' preferences for newer technology often can be good news for an organization's IT department, according to Robert Pease, the company's vice president of marketing.

"When [older workers] first entered the workforce, we could communicate with each other over via e-mail, and there was a big blurring between business and personal," Pease says. Today, young workers would rather communicate with each other via text messaging or postings on Web sites, and are less inclined to misuse the corporate e-mail system with personal messages, he says. "There's a bit more discipline around corporate communications today. The bad news is, how do I control" the other channels of communication?

One risk manager at a large financial-services company who asked not to be named sees the value in providing employees with a flexible work environment, but says that flexibility must be accompanied by well-defined policies and layers of security technology. "Whenever employees are given flexibility for their hours and environment, you'll definitely have a happier, as well as more productive workforce," the risk manager says. He adds, however, "you need to specifically define parameters for what is and is not allowed in your policies, and spell out what will be the result of any violations."

Page Break

Companies that believe they have communicated their policies sufficiently might need to think again. According to a survey done by security vendor Senforce last March, 73% of the 308 respondents said they store corporate data on removable media, and 46% said they did not have -- or were unaware of -- corporate security policies that protect that information.

Although presenting a flexible work environment would be particularly important for companies whose employees are their assets -- advertising and design firms, for example -- the need to maintain a happy workforce is important in any industry. "It needs to be presented as a win-win situation," the risk manager says. "Explain to the employees that following the guidelines will help to ensure the continued flexibility of the work environment. If you make things too restrictive, younger employees may just pack up and go elsewhere."

Five ways to deal with Gen Y technology in the workplace

When it comes to employees' use of personal technology at work, IT departments often have the unsavory job of enforcer. If a company's acceptable use policies are aligned with the corporate culture, however, that job becomes a lot easier.

For example, let's say a new hire in marketing calls the help desk because he can't access the Facebook Web site. If the corporate culture dictates that nonbusiness Web sites shouldn't be accessed at work -- or only during lunch and after hours --the help-desk staff person can explain that the site is blacklisted and refer the employee to the related policy outlined in the company's handbook. If there's no such written policy, the help-desk staff person is left to do the explaining himself.

"The fundamental part of all of this is setting expectations," says Daniel Gingras, a partner at Tatum Partners, a consulting and executive staffing firm.

Gingras recommends that IT executives take the following steps:

  • Understand the culture of the organization. While it's not typically found in an IT professional's job description, understanding the corporate culture is essential to setting and implementing acceptable use policies related to technology, says Gingras. For help, look to HR, upper management, and the compliance and legal departments.

  • Craft (or update) a policy that fits with the culture. If the corporate culture disallows iPods in the workplace, the policy must state that clearly. On the other hand, if the organization allows iPods in the workplace but doesn't let employees download music or videos to iTunes, that must be specified, too.

  • Communicate the policy repeatedly. A written policy that sits on a bookshelf in the HR director's office won't serve the needs of the company. IT can play a role in communicating policy by asking new hires to sign a document that says they have read the portions of the handbook related to technology, and by setting up logon screens that contain pertinent policy information.

  • Create a level of expectation that workers will conform to the policy, and make sure you have the technology in place to enforce the rules. "You have to build in the audit trails so that you trust, but verify," Gingras says. "Everybody [should know] you trust them, until they give you reason not to." There are many data-leak prevention, content-monitoring, and compliance products on the market that create audit trails of employees' actions related to sensitive data.

  • Constantly weigh the advantages of a flexible work environment against network security. If policies are being abused -- for example, an employee continues to use his personal Web mail account for business communication, therefore potentially putting sensitive information at risk and circumventing audit trails -- consider blocking the use of personal mail accounts at work.