IT security policies may seem like the most logical way to govern enterprise bring your own device (BYOD) and cloud usage, but newly released survey results show that Generation Y users are increasingly willing to skirt such policies to use their own devices and cloud services.
A lot of employees are saying, 'This is the way I'm working now,' and so a lot of these IT policies need to catch up.
vice president of marketing, Fortinet Inc.
Network security appliance vendor Fortinet Inc. has released details on a recent 3,200-user survey showing that many users aged 21 to 32 are ignoring the BYOD and cloud policies that enterprise IT teams are instituting. Fortinet found that 65% of respondents use personal devices -- smartphones, tablets or laptops -- for work purposes most workdays, with another 14% of respondents using them at least a few times a month.
Startlingly, 51% of those surveyed said they would violate a corporate policy restricting the use of personal mobile devices at work. That number represents a 42% increase when compared with respondents that answered "yes" to the same question on a similar survey Fortinet conducted last year.
Instead of jumping to conclusions regarding a potential increase in insider risk, though, John Maddison, Sunnyvale, Calif.-based Fortinet's vice president of marketing, speculated that these users are largely split into two camps: those that say, "I just want to use my device," and those that say, "I just want to do my job."
"I don't think they're doing anything mischievous. They're not going in and hacking," Maddison commented. "They're just trying to do their job or trying to use a device that is convenient for them. Even if enterprises have [BYOD] policies in place, a lot of employees are saying, 'This is the way I'm working now,' and so a lot of these IT policies need to catch up."
Maddison noted that younger users tend to choose productivity and convenience over security when necessary. For example, if a VPN service installed on a mobile device is slow or dysfunctional, Gen Y users simply choose to connect to corporate networks without that control activated.
Perhaps surprisingly, Gen Y end users seem to be more aware than ever of cybersecurity issues. Fortinet asked respondents to assess their familiarity with a variety of common infosec terms, and on the whole, user security knowledge increased over previous years. For example, 88% of respondents were at least familiar with cybercrime, 80% knew about phishing and 50% had knowledge of advanced persistent threats.
Still, this increasing level of security awareness among young users doesn't seem to extend as much into the realm of mobile and cloud technology. When asked whether they had knowledge of attacks on their personal devices, 64% of desktop PC users and 57% of laptop users were aware their respective devices had been targeted. In contrast, only 22% of smartphone users and 21% of tablet users were aware of attacks on their devices. In this case, according to Maddison, users may be taking cues from the security stance of their employers.
"I think that is because they have seen more attacks on the PC," he said, "but also that enterprises continue to insist that antivirus be installed on PCs, so they see more activity and more controls and policies on those laptops."
The same lack of knowledge regarding threats to mobile devices also seems to pervade Gen Y's view of personal cloud services. To that end, 36% of respondents said that they would use the cloud even if such activity were prohibited by IT policies. In fact, many users have already used the cloud for work purposes, with 46% divulging that they have used webmail services such as Gmail and Outlook. One out of every five users said he or she had used Google Drive and Dropbox, respectively.
Among those using personal cloud services for work, 33% said they had stored some sort of customer data such as contact details in cloud storage, with another 22% admitting they had stored sensitive documents such as contracts and business plans. Though these numbers may shock some security pros, the Gen Y users surveyed by and large seem to accept the risk posed by the cloud. 32% would trust cloud services to handle any type of data. 57% were willing to acknowledge some level of risk associated with the cloud, but said it would not deter them from storing nonsensitive data.
"A majority of people either trust the cloud or know the risks and are willing to trust it," Maddison said. "[The cloud] is making their jobs so much easier that there's a slight tradeoff between some of the risks; they understand that the risks are there, but the tradeoff is worth it from a productivity point of view."
So how should IT security teams handle this seeming avalanche of risk behavior? Maddison made three suggestions. First, perhaps unexpectedly, he encouraged enterprises to continue educating young users on both the corporate security policies in place and the latest threats against mobile devices and cloud services. Though he admitted that other statistics in the report could be used to argue against the effectiveness of user education, Maddison pointed to the 88% of respondents who agreed they should know the risks involved with using their personal devices, as well as the increase in awareness around various cybersecurity terms, as an indication that Gen Y users are willing to learn about these issues.
He emphasized that organizations need to look to the network to solve these issues, with network segmentation posing one possible answer. For example, if an organization determines that it needs to be able to trust one portion of the network, it can require additional controls such as a VPN to gain access to that segment.
Maddison advocated for enterprises to spend more time analyzing internal network traffic flow. He noted that all kinds of activity mentioned in the report, from usage of cloud services to mobile devices connecting without VPNs, can be viewed from the network level, where enterprises may have the best opportunity to curb risky behavior with additional network security controls.
If one thing is for certain: Enterprises need to get a grip on BYOD and cloud activity before the risk spirals out of control. When asked whether they might own wearable technologies such as Google Glass in the future, half of Gen Y users responded in the affirmative, and more showed interest in emerging technologies such as Internet-connected cars and televisions. Similarly, 49% of respondents also indicated they would be willing to circumvent IT policies governing such technologies.
"All of these things are happening that contravene IT security policy, but in this particular market segment, the reward seems to outweigh the risk at some point," Maddison concluded. "I don't see this trend stopping; if we do this [survey] next year, I think we'll find another increase, and this will continue."