In-Depth

Report Urges IT: It’s Time to Guard against the "Millennial" Threat

New IT consumers are more comfortable with, and knowledgeable about, technology, and that’s a problem

• By Stephen Swoyer
• 03/25/2008

If you aren't familiar with the concept of "Millennials" -- the current and incoming generation of enterprise IT consumers -- you should be.

Last year, Fortune Magazine devoted a cover to what it termed the "millennial workforce." Experts suggest it is at once the single most promising, single most demanding, and -- significantly -- single most dangerous user constituency to date.

More recently, security experts have also warned about the so-called "millennial" threat: the newest IT consumers are more comfortable with (and knowledgeable about) technology than any previous generation -- and that's a proposition loaded with both risk and reward.

"IT is just beginning to grasp the concept of IT risk management and figuring out how to translate that for executives and the board. Now they're confronted by the millennial worker, which is almost cause to rethink IT risk management all over again," said Symantec security researcher Samir Kapuria, in a blog posting last December.

"Trying to implement IT risk management policies with a 'Millennial' workforce -- one with members who have been labeled as 'risk takers' -- is very problematic. In general most 'Millennials' tend to believe in a 'no-walls' approach when it comes to sharing information. Why shouldn't all information be shared? Their strength is digital sophistication; some would even claim that the true concept of information technology is their birthright."

Much of this was just speculation -- until Symantec commissioned a survey to study the attitudes (and attributes) of the millennial workforce. Last week, it published an abstract of its study, citing three ideas that can guide organizations in their preparations for the millennial paradigm shift.

First, Symantec reports, millennial workers have a very different attitude with respect to the adoption of technology in their work environments -- at least compared with "legacy" workers: they tend to access Web 2.0 applications much more frequently than their legacy counterparts, for one thing. In one example, 66 percent of millennials regularly access social networking nexuses Facebook or MySpace -- versus just 13 percent of other workers.

Moreover, 75 percent of millennials access Web e-mail accounts -- versus 54 percent of non-millennial workers. Ditto for IM-ing while at work: 46 percent of millennials use IM on their corporate network, whereas just 22 percent of legacy workers do so. Symantec cites similar disparities for the consumption or access of streaming video, photo sharing, and iTunes.

According to Symantec, less than half (45 percent) of millennials restrict their Web 2.0-ing to company-issued devices or software -- while nearly 70 percent of non-millennial or legacy workers hew to established company guidelines. More troubling for security administrators: 69 percent of millennials say they'll use the application, device, or technology of their choice -- regardless of their organization's policy. (Just 31 percent of non-millennial types say as much).

Why are millennials so apt to flout company policies? According to Symantec, it might be because IT isn't doing a good job of educating them. Only 57 percent of millennial and non-millennial users alike believe they've been adequately trained on their company's policies concerning the use of technologies -- approved or otherwise -- while at work.

For example, the study found, at least half of IT respondents say they have policies that ban or restrict the use of social networking, multimedia, or gaming applications -- while the actual usage or consumption of such applications (particularly in the case of millennials) exceeds this figure.

The Good News

The good news, Symantec says, is that IT is increasingly aware of the danger (and the promise) posed by the millennial workforce. For one thing, the study finds, 89 percent of corporate IT managers say they've noticed at least some increase in risk in the past five years, while 47 percent of IT respondents say younger workers pose a moderate to significant new challenge. (Just 12 percent say they are more risk-savvy).

More than two-thirds of IT managers have at least considered the restriction of Web 2.0 applications or smart devices, while 54 percent of IT respondents believe that at least some benefits derive from the use of these technologies. To deal with the potential for millennial disruption, many IT organizations are rewriting their existing policies (36 percent) or relaxing guidelines and permitting the use of applications or devices (28 percent). According to Symantec, more than one-third (36 percent) say they haven't revised their IT policies in the last five years.

Some Web 2.0 applications are more palatable than others: 50 percent of respondents cited the in-work use of gaming applications grounds for termination; 41 percent cited the in-work use of streaming audio or video; 37 percent called out iTunes or music sites; 33 percent cited chat rooms or forums; and 27 percent noted photo sharing as grounds for termination.

Add it all up, Symantec says, and there's a clear mandate for IT. "Clearly, the study reveals there is potential for huge risk exposure -- data loss, compliance issues, legal implications, etc," writes Kapuria, who concedes that -- far from being conclusive -- his company's survey "clearly highlights an almost even split with [respect to] how organizations are approaching" the millennial dilemma.

No matter what, he urges, CIOs must act -- and act soon.

"This study should serve as a call to action for CIOs. Do you know what devices are being used in your organization? Do you know what applications are being downloaded? Are you tracking the movement of data and information within and outside your organization? Policies are not being followed, and this could have serious ramifications," he argues.

"Take the necessary measures to do a thorough assessment to understand how much the 'consumerization' of IT has permeated your organization. Assess IT risks and identify methods of control to limit inappropriate technologies crossing personal and corporate boundaries. Recognize that the 'control' of yesteryear has largely shifted to the 'choice' of today."