Younger Employees May Bring New IT Security Challenges

Millennial generation will use Web 2.0 to work, study says. CIOs downplay the security impact.

by / July 8, 2008

Get ready CIOs. They're coming. They have gadgets and doohickeys galore. They like their music downloadable and portable, and they grew up with the Internet, not before it. Their idea of community is socializing with people in other cities or countries through Facebook, MySpace or instant messages, and they use e-mail so often they probably think snail mail is an endangered species.

They're the Millennials - those tech-savvy, 20-somethings-and-under bound to warm up scores of office chairs left cold by retiring baby boomers. There's a good chance many will come to a government workplace near you, but their digital literacy could prove worrisome for security-conscious bosses.

Most agencies manage sensitive citizen data: addresses, Social Security numbers, financial records and medical information. You name it, some state or local office has it, and probably electronically. The problem? Many theorize that the Millennials' penchant for online openness could unintentionally expose private information, leaving it ripe for the picking. Millennials bring innovative ideas about technology's use, but for that same reason, do they also pose new security risks?

The Hard Truth
Anti-virus vendor Symantec released a study in March 2008 assessing this issue. Symantec commissioned Applied Research-West to execute the study, and 600 participants were surveyed from different verticals, including government. Survey participants included 200 IT decision-makers, 200 Millennial workers and 200 non-Millennial workers born before 1980.

The data revealed that Millennials are more likely than workers of other ages to use Web 2.0 applications on company time and equipment. Some interesting figures include: 69 percent of surveyed Millennials will use whatever application, device or technology they want at work, regardless of office IT policies; and only 45 percent of Millennials stick to company-issued devices or software, compared to 70 percent of non-Millennials.

According to Samir Kapuria, Symantec Advisory Consulting Services' managing director, C-level administrators and agency heads view IT as a controllable asset, but Web 2.0 threatens to take control away.

"Those lines of control start to blur because the assets in question aren't necessarily that of an organization, but that of a private person or a third party," he said. "The mechanisms that allow a CXO [corporate officer] to control the usage of that asset start to dissipate as well."
Interesting facts on IT use at work include:

· 66 percent of Millennials access Facebook or MySpace, compared to 13 percent of non-Millennials;
· 75 percent of Millennials use Web mail, compared to 54 percent of non-Millennials;
· 75 percent of Millennials have downloaded software on their work computer for personal use, compared to 25 percent of non-Millennials;
· 46 percent of Millennials use an instant-messaging client on the company network, compared to 22 percent of non-Millennials;
· 38 percent of Millennials access streaming video at work, compared to 18 percent of non-Millennials; and
· only 57 percent of both Millennials and non-Millennials think they've been properly trained on their employer's technology-use policies.

Danger Ahead?
"With these sorts of online assets or social networks, you've got the capability of information within the organization to leave the organization," Kapuria said, "[though] not necessarily for malicious purposes."

Kapuria offered an example: An employee e-mails a work-related spreadsheet to his or her personal e-mail account to download at home to complete after work hours.

The spreadsheet represents an informational asset of the agency that is no longer connected to the organization's network. According to Kapuria, "The corporation is not aware that their asset is out there. And now the risks posed to those assets are things an organization cannot mitigate."

Facebook, MySpace and other Web 2.0 tools can be great networking and communication business tools - connecting with clients and building contacts. But these same tools can be terrible for privacy. Sensitive in-house data could be displayed over a public network for thousands to see. These networks can also be means for employees to store work-related

data on an unauthorized source that lacks proper security.

Technological innovation brings new conveniences and threats. Want to store a project on a portable hard drive to take home and perfect over the weekend? It could fall out of your pocket or purse and be picked up by a stranger. Those nifty instant messages are great for communicating with co-workers, but also serve as ways to bypass firewalls. Someone could unknowingly introduce malicious code to the network by sending a link to a questionable Web site through an instant message.

Dan Ross, Missouri's CIO, is aware of how security can be compromised. He oversees the Information Technology Services Division, which serves 14 state offices and more than 34,000 state workers. Still, Millennials don't scare him any more than employees of other ages when it comes to creating security risks.

"I don't worry about Millennials at all; they'll be great employees," Ross said. "And a percentage of them will do stupid things, just like a percentage of 50-year-olds will, so I don't see any difference there. It's about educating your employees and making sure they have a full understanding that if they inappropriately use state equipment there are consequences."

Ross actively encourages Millennials to join the work force. On Feb. 15, 2008, his department hosted a job fair in Second Life, a popular three-dimensional online virtual world. Their thinking was to recruit young people to government jobs by going to an environment many of them access. Missouri didn't hire any Millennials from that event, but many expressed an interest. More Second Life job fairs are planned. Ross also visits high schools and middle schools to build young people's interest in IT careers. Missouri has a centralized IT department of more than 1,100 employees, and 51 are Millennials. Ross expects 60 percent of his work force to be eligible for retirement between now and 2018.

Millennials and the Future
How might young people be workplace assets? Could all that time typing or texting make them speedy typists, able to whip up memos at the drop of a hat? Does familiarity with new and emerging technologies have its benefit? You bet, according to Dustin Lanier, director of the Texas Council on Competitive Government. The council brings state leaders together to shape policy for government departments, including IT.

"I think they've built an approach to work that involves a lot of multitasking," Lanier said of the Millennials. "Something will be loading on one screen, you alt-tab to another application and pull up an e-mail, the first process loads, you flip back, start a new process, flip to a forum and pull up a topic. It's frenetic but normal to that group."

Lanier doesn't think Millennials present more of an IT threat than their older co-workers. After all, young people don't have a monopoly on being distracted in the office. "I can't tell you how many times I've walked by people's desks of all ages and seen Minesweeper up," he said.

He thinks employers should embrace some Web 2.0 applications. Otherwise, Millennials might be discouraged from sticking around. According to Lanier, this younger work force comprises many people who think of themselves as free agents. Government should accommodate some of their habits in order to prevent them from quitting.

And of course, no discussion of the Millennial work force would be complete without input from the Millennials themselves. James Clapper, 27, and Josh Bradley, 21, work for the Missouri state government. They have ideas on how their generation could change workplaces in the future.

"As a state employee, we already rely on technology for communication," said Bradley, a computer technologist trainee. "We rely on our e-mail rather than phones most of the time." He predicts society will become continuously more dependent on technology.

Clapper, who works as a computer information

technologist, doesn't think drastic changes will be noticeable for awhile, maybe not until the post-Millennial generation grows up. But Millennials are coming, and he even has a prediction in mind.

"I think there's going to be a lot of changes, especially to Web design and the integration of instant messaging into pretty much every platform," Clapper said. He envisions an integrated instant messaging solution that interfaces with various platforms and applications on and off the Web.

Bradley doesn't think Millennials pose more of an IT threat than other ages do, and Clapper said conscientious younger workers won't exploit their Web 2.0 proficiency at the employer's expense.

What can cautious CIOs do to encourage Millennials to be more security-oriented on the job? "The approach to leveraging the Millennials and mitigating these types of risks is teaching," Kapuria said.

Kapuria thinks coaching younger employees on the security environment as it relates to Web 2.0 and existing risks might be a better approach than leaving things to IT policy alone.

Ross agrees that training all employees as security officers would also mitigate risk. He referred to this approach as "part of the most modern way of thinking about security."

Although the Symantec study indicates that Millennials use Web 2.0 applications frequently at work, time will tell if their activity causes rampant security breaches in government. CIOs will have to wait for horror stories - and success stories - of how their contemporaries deal with this situation and how prevalent the threat is.

"This is an emerging area, so there's not a big repository of success stories yet," said Kapuria. He knows of organizations with strategies in place to harness the Millennial generation and what they can do, and it has a lot to do with building an atmosphere of culture and education. "Logic is a big tool with this generation, and sharing why we have to do certain things is important," Kapuria said.

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs