Young employees take more risks with software. This doesn’t have to be a problem
By Paul Kenyon, COO, Avecto

They have been variously described as technology’s ‘Generation Y’ or ‘Generation Tech’, an undisciplined, impulsive, entitled horde of twenty-something workers older heads are inclined to see as one of the biggest security challenges ever to hit corporate networks.Having grown up in an age of lurching software advances, ubiquitous communication and social networking, this is not a group easily dissuaded from using any and every application by the old reasoning that software can be a ‘bit risky.’ The same applies to their attitude to ‘bring your own device’(BYOD), a trend driven by the basic social reality that workers of all age groups now depend on personal devices such as smartphones and tablets and won’t take happily to the idea of being asked to leave them at home.

If the ‘Generation Y’ label sounds a bit glib there is a small but growing body of evidence that a worker’s age does play some role in shaping attitudes to technology. A recent survey by Avecto of 1,500 IT admins visiting the TechEd US and European conferences found that workers between the ages of 20 and 35 – the Gen Y demographic – were seen by 80 percent of professionals as posing a formidable obstacle to application security.

Why? The tendency of this group to download unauthorised apps was the first big concern, with nearly forty percent of admins reporting having experienced a malware incident because of this behaviour.  Three quarters of admins weren’t even sure how many unauthorised applications had been downloaded, which renders the issue of the damage caused almost moot.

Enough already
It’s not necessarily that older workers don’t participate in risky behaviour as well but that Generation Y is perhaps more active and confident in finding applications for themselves and utterly convinced of their right and need to have them. The survey implied that many admins try to cope with this by ‘flying blind’, that is they look to manage assertive users using manual procedures based on assumptions and trust. Without tools they have no obvious alternative.

Because Windows applications often demand privileges when installing or updating quite basic applications and add-ons, the easiest if most extreme response is to either fully enable or completely block such privileges. Some incorrectly assume that only esoteric apps still ask for admin rights but this is far from the truth. Here are a few common examples that will ask for privilege elevation:

•  Java
•  Flash Installer/Updater
•  Apple iTunes
•  Google Chrome
•  Firefox
•  Adobe Acrobat Updater
•  Skype
•  Blackberry Desktop Manager
•  Citrix GoToMeeting
•  Cisco WebEx
•  HP Universal Printer Driver
•  VLC Media Player
•  Adobe AIR

To this should be added countless examples of legacy and bespoke applications. Blocking or enabling offers certainty but is counter-productive; enabling privileges allows dangerous applications to run at will while removing them stops legitimate and even necessary ones from running at all.The common solution to this software checkmate that has been available since Windows Vista and Windows 7 is to allow privilege escalation on demand through User Account Control (UAC), but this too comes at a price; admins are bombarded with requests for passwords to elevate application privileges without the visibility to know whether a specific request is justified. Generation Y, meanwhile, is frustrated at even having to ask.

The Windows 7 ‘moment’
Migration to Windows 7 has turned out to be the important moment where organisations reassessed hardened assumptions about the way employees use and access applications and a growing number have concluded that the rational response is to invest in least privilege management. With this design, users can request application admin privileges on a case-by-case basis after authenticating themselves in a way that offers audited admin oversight.

The user is given the privileges he or she needs and can use applications on demand with the added benefit that admins are given some visibility into which new applications are finding their way on to the ‘required’ list of the workforce. These rights can be revoked when they are no longer needed, which could be as little as minutes later.

This model overcomes the unhelpful cultural barrier that can spring up between those whose job it is to administer software and employees who might be asking for unsanctioned but potentially beneficial applications admins haven’t even heard of.

There’s no simple answer to identifying which applications might be beneficial and which will turn out to be a productivity-sapping chore.  It depends on the type of organisation and the specific set of workers. Where might red lines be drawn?
In the blocked group will sit obviously malign applications (i.e. malware) or illegal or inconvenient (e.g. bandwidth-consuming P2P or video), but in truth the overwhelming majority will be tagged rather unhelpfully as ‘grey’, their status unknown.

A good example of this is Skype, deemed appropriate for some users and organisations but not for others required to meet regulatory constraints that an encrypted channel into and out of the organisation clearly infringes. It just depends. With application and privilege management admins will at least have an overview of an application’s popularity inside an organisation the better to make an informed decision.

Opportunity not threat
From the point of view of traditional, centralised IT, BYOD and consumer software are inherently difficult to assimilate. Admins are instinctively wary and with good reason. In conventional IT, the users are the source of most problems starting with the misuse of software.  But here’s an intriguing thought; far from being negative and risky, perhaps the way Generation Y adopts new applications could have long-term benefits if a way can be found to accommodate the behaviour.

It’s tempting to see the gulf that has grown up between admins and  users in some organisations as a culture clash of two age groups, the LAN Generation (let’s call them ‘Generation X’ because it conveniently references people born in the 1960s) and the younger Generation Y that has been the subject of this feature.

This would be a mistake although it does neatly outline the different attitude of workers who grew up with the PC and Internet in the 1980s and 1990s and for whom the challenge was simple: get things to work. Years on, for Generation Y the challenge is less a technical one than a social one: how to change the way things work.

Age, then, is better seen as a motif for divisions that grow up in all organisations between hierarchies, between those whose job it is to manage and those who carry out its most basic functions and look for as many short cuts as possible.

What the emergence of Generation Tech suggests is that technology has changed in ways that offer huge benefits and the best response is to adapt rather than deny, and to involve workers in choosing and developing applications rather than turning them into slaves to the UAC prompt and login box.

Applications are not the enemy and neither are the people who use (or want to use) them. They are the managers of tomorrow and future of all organisations that want to stick around.