October 21, 2013
By Clay Dillow
FORTUNE — It’s difficult enough to keep a sprawling company IT network safe from external threats, but as younger generations that grew up in the always-connected Internet age continue to move into the workforce, it’s growing increasingly difficult to protect it from threats within. A new 20-country survey by network security firm Fortinet shows that among employees aged 21-31, more than half would circumvent any company policy banning the use of personal devices at work or for work purposes.
For CIOs and IT security chiefs trying to keep their secure corporate networks quarantined only to company-approved computers and devices, that kind of employee behavior can create huge vulnerabilities. A number of apps exist that allow a computer’s Internet connection to be shared with an unauthorized tablet or smartphone that could be pre-infected with malware. These work-arounds are very hard to detect at the network level. According to Fortinet’s research, simply asking employees not to plug their personal devices into the company network isn’t a viable solution either. A full 51% of the 3,200 surveyed said they would find a way around any policy banning use of their personal devices – a 42% increase compared to a similar survey conducted just last year.
“These younger employees are willing to take as many shortcuts as they can in order to use the technologies that they’ve spent literally their whole lives embracing,” says Richard Henderson, a security strategist and threat researcher at Fortinet. “So are we really surprised that these young professionals are virtually demanding access to the same technologies 24/7, wherever they go?”
That more than half of Generation Y employees are willing to do whatever it takes to use their personal technology at work is troubling from a network security standpoint, Henderson says. But to read it as a signal that companies should strengthen their anti-BYOD (bring your own device) policies is to misunderstand the generational change that’s happening in the workforce. If companies don’t embrace the BYOD phenomenon, they’re going to be left behind by companies that do (some companies even treat BYOD policies as a perk when hiring). And in the long-term, companies are going to find themselves exposed by those employees clever enough to contravene the rules.
“The real question here is: As we move into this new reality where young employees have grown up with the Internet and want to be always on and always connected, how do companies position themselves to protect themselves and also embrace these technologies?” Henderson says.
The BYOD threat goes beyond hardware devices. As more technologies that young people have embraced move into the cloud, the lines between work-related IT and personal technology have blurred further still. Nearly 90% of those surveyed have a personal cloud storage account (with DropBox accounting for 38% of that number), and 70% of that cohort admitted to using that account for work-related purposes, like swapping files between their work-approved computer and their personal computer or tablet device.
Broken down further, the numbers don’t look any less nightmarish for a CIO: 12% of that group use their cloud storage to store work passwords, 16% admitted to storing financial information, and 22% have kept private documents like contracts or business plans stowed away there for access when offsite. Those numbers perhaps pale in comparison to the fact that a third of those with personal cloud storage (33%) have used it to store customer data.
These trends come from a group that also exhibits a high level of threat literacy according to Fortinet’s numbers; 55% of respondents claim to have been the subject of a data breach or other cyber attack on their personally-owned PCs or devices.
The lesson here isn’t that younger employees are unaware of the potential hazards associated with their behavior, but that they are so wed to their personal technology that they are going to use it anyhow. “It’s a given,” Henderson says. “It doesn’t matter how tight of a network you run, someone will always find a way to connect a device.”
The key, rather than tightening BYOD restrictions that employees won’t follow anyhow, is to develop a kind of give-and-take between employer and employee, Henderson says. Employers have to give up a little control by allowing employees to bring the technologies they like onto the network (this can also beget a marginal uptick in productivity, as employees tend to work more efficiently using technology they like and intuitively understand). Employees, likewise, have to give up a little control themselves by allowing their employer to install tools on their laptops and devices – things like malware scanning software and VPN tools that ensure the safe sharing of data between those devices and the company network.
The other option is for companies to ignore this generational shift at their own peril as increasingly plugged-in, always-on young people become the core of their workforces.
“It’s not all doom and gloom, even with these numbers,” Henderson says. “But young people are going to do whatever they can to get their personal devices onto the network, and companies that aren’t devising a plan to allow them to do so are asking themselves to be attacked. You embrace it or you deal with the fallout.”