Gen Y is Hardening Stance against Corporate BYOD/Bring-Your-Own-Cloud Policies

By Peter Bernstein October 21, 2013

For everyone with passion about enterprise security, the growing terms “IT Anarchy” and “Shadow IT” have become all too familiar. For the uninitiated, these terms apply to two immutable trends:

  • The proliferation of Bring Your Own Device (BYOD) usage by all enterprise IT users and their desire to use applications and third-party cloud-based capabilities.
  • The behavior of aforementioned users to make use of these capabilities whether they are sanctioned by IT or not.

The latter is particularly troubling because the increase in unauthorized use means IT’s ability to manage corporate risks in the face of the exponential explosion of vectors of vulnerability is significantly and possibly catastrophically compromised. 

There is a massive tug-of-war going on. Companies, sometimes grudgingly, are trying to strike a balance between enabling employees to leverage all of the value BYOD devices accessing capabilities and content yet do so in a manner that is safe and secure. The security industry is working furiously to help IT meet the challenges of increased vulnerability in an environment where visibility into what is going on is problematic, making the creation and enforcement of safe practices difficult at best. However, users are impatient and have taken matters into their own hands. They don’t want to wait and they don’t trust IT to act in the users interests. That is why the term “anarchy” resonates as a description.       

The shadow of “shadow IT” looms large with Gen Y

What makes this situation confounding is that despite IT and security vendor efforts to address the problems, security solutions provider Fortinet’s just released, The Fortinet Internet Security Census 2013, indicates that things are getting dicey. In fact, with the critical age group now increasingly populating most enterprises, Generation Y, one could almost say we have reached crisis proportions in regard to their disdain and lack of trust in IT. This should serve as a major call to action.

Based on findings from an independent 20-country survey of 3,200 employees aged 21-32 conducted during October 2013, the research showed a 42 percent increase in the willingness to break usage rules compared to a similar survey conducted last year. The new research also describes the extent to which Generation Y have been victims of cybercrime on their own devices, their ‘threat literacy’ and their widespread practice for storing corporate assets on personal cloud accounts.

There is a lot to mull over in the key findings.

Strong Trend of Contravention: Despite respondents’ positivity about their employers’ provisions for BYOD policy, with 45 percent agreeing this ‘empowers’ them, 51 percent stated they would contravene any policy in place banning the use of personal devices at work or for work purposes.

As the authors note, “This alarming propensity to ignore measures designed to protect employer and employee alike carries through into other areas of personal IT usage.” For example, 36 percent of respondents using their own personal cloud storage (e.g. DropBox) accounts for work purposes said they would break any rules brought in to stop them. 

image via

In addition, when asked about emerging technologies like Google Glass and smart watches 48 percent would contravene any policy brought in to curb use of these at work. This is important based on Gen Y’s views that wearable tech is likely to become widespread at work or for work purposes soon. Indeed, 16 percent said ‘immediately’ and another 33 percent stated it will happen when costs come down. Only eight percent of the respondents disagreed that the technologies would become widespread.

Widespread Use of Personal Cloud Accounts for Sensitive Corporate Data: 89 percent of the sample has a personal account for at least one cloud storage service. DropBox led with 38 percent, and 70 percent of personal account holders have used their accounts for work purposes. In addition, 12 percent of this group admits to storing work passwords using these accounts, 16 percent financial information, 22 percent critical private documents like contracts/business plans, and 33 percent store customer data.

Interestingly, 32 percent of the cloud storage users sampled stated they fully trust the cloud for storing their personal data, with only 6 percent cited an aversion through lack of trust. In other words, cloud trust is approaching the declining IT trust numbers.

Threat literacy required as survey reveals attacks really do happen: When asked about devices ever being compromised and the resulting impact, over 55 percent indicated an attack on personally owned PCs or laptops, with around half of these impacting on productivity and/or loss of personal and/or corporate data.

A possible silver lining, which may be temporal, was that attacks were far less frequent on smartphones 19 percent with a slightly higher proportion resulting in loss of data and/or loss of work productivity than on PCs/laptops, despite the sample reporting a higher level of ownership of smartphones than for laptops and PCs. The same percentage was observed for tablets (19 percent), but with greater consequences, since 61 percent of those attacks resulted in significant impact. This is indicative, probably, of how tablets are used and by whom since many managers (Gen Y is moving up the ranks) now cannot live without them and as other research has shown they have a higher than average proclivity to contravene corporate policies and rules regarding best practices for access apps and content.

Don’t ask and don’t tell

Among one of the worrying findings of the research, 14 percent of respondents said they would not tell an employer if a personal device they used for work purposes became compromised.

The research examined ‘literacy levels’ for different types of security threat. Here too the results were illuminating if contradictory revealing two opposing extremes, “ignorance” and “enlightenment.” The gap between the two was an average of 27 percent with minimal awareness.

Showing how far enterprises need to go in educating their users, when questioned on threats like APTs, DDoS, Botnets and Pharming, up to 52 percent appear completely uneducated.

Another somewhat good news finding was the survey revealing a correlation between BYOD usage and threat literacy. It seems that the more frequent the BYOD habit the better a respondent’s understanding of threats. As the authors note, “This represents a positive finding for organizations when considering if/when to bring policies in alongside training on the risks.”

“This year’s research reveals the issues faced by organizations when attempting to enforce policies around BYOD, cloud application usage and soon the adoption of new connected technologies,” said John Maddison, vice president of marketing for Fortinet. “The study highlights the greater challenge IT managers face when it comes to knowing where corporate data resides and how it is being accessed. There is now more than ever a requirement for security intelligence to be implemented at the network level in order to enable control of user activity based on devices, applications being used and locations.”

“It’s worrying to see policy contravention so high and so sharply on the rise, as well as the high instances of Generation Y users being victims of cybercrime,” continued Maddison. “On the positive side, however, 88 percent of the respondents accept that they have an obligation to understand the security risks posed by using their own devices. Educating employees on the threat landscape and its possible impact is another key aspect for ensuring an organization’s IT security.”

It is unfortunately obvious what flows from these findings. The workforce is changing demographically, and expectations of those who are digitally adept about what they can and will use need to be modified within the context of what IT needs and should have control over. This is arguably the biggest challenge IT faces today as it architects the enterprise ICT environment of the future. As we all know trust is hard to earn, easy to lose and difficult to get back. We all may feel entitled to use our devices and apps as we see fit, but boundaries need to be established and trust restored to avoid the consequences of bad actors doing very bad things.

Edited by Ryan Sartor
Related Articles

Why People Don't Update Their Computers

By: Special Guest    7/13/2018

When the WannaCry ransomware attacked companies all over the world in 2017, experts soon realized it was meant to be stopped by regular updating. Even…

Read More

More Intelligence About The New Intelligence

By: Rich Tehrani    7/9/2018

TMC recently announced the launch of three new artificial intelligence events under the banner of The New Intelligence. I recently spoke with TMC's Ex…

Read More

Technology, Innovation, and Compliance: How Businesses Approach the Digital Age

By: Special Guest    6/29/2018

Organizations must align internally to achieve effective innovation. Companies should consider creating cross-functional teams or, at a minimum, incre…

Read More

Contribute Your Brain Power to The New Intelligence

By: Paula Bernier    6/28/2018

The three events that are part of The New Intelligence are all about how businesses and service providers, and their customers, can benefit from artif…

Read More

TMC Launches The New Intelligence - an Unparalleled AI and Machine Learning Conference & Expo in Florida

By: TMCnet News    6/28/2018

TMC announced the launch of The New Intelligence conference and expo - The Event Powering the AI Revolution. This exciting new event will take place o…

Read More