Dennis Szerszen, SVP at SecureWave, looks at managing security with the new breed of IT-savvy workers.
According to research commissioned in September 2006 by Marc Prensky, of Marc Prensky consultancy, the typical 21-year old graduate entering the workplace has under their belt approximately 5,000 hours of game play experience, has exchanged 250,000 emails and instant messages, has spent 10,000 hours on his mobile phone and 3,500 hours surfing the web.
Employers around the UK are now facing the challenge of having to appeal to these budding young professionals who, unlike previous generations, have grown up using technology in every day life.
The iPod generation will expect a certain degree of leniency when it comes to using technology for leisure pursuits while at work. So how can employers ensure that a harmonious co-existence between productivity and leisure time is found, so as not to destabilise employee morale?
By implementing information security practices that are geared towards enabling rather than restricting, management can still entice and retain high calibre candidates; while still ensuring productivity and business continuity.
A report in the Times Higher Education Supplement in late 2005 suggested that undergraduate university applications were down 5 per cent compared with that of the previous year, fuelling speculation of a skills shortfall in 10 years time. With this in mind, it is now the graduates who have the upper hand when applying for jobs and when ultimately coming to accept a position.
Figures from Prospect Careers, an advisory service for postgraduates, suggest that graduates are taking longer to find the 'perfect job', almost 30 per cent taking up to six months to pick and choose that all-important first career step.
No longer is it enough to simply offer prospective employees the traditional benefits, such as contributed pension schemes, gym memberships, social events, bonuses, and flexi-time; instead, these are almost a standard expectancy of graduates entering the workplace.
Today's worker demands more from their employer; for example, the almost unequivocal and unwritten right to send personal emails and instant messages during work time, the right to listen to music on an MP3 player at work, all with the aim of breaking the flow of the day.
According to Paul Wakeman, founder of the Total Recruitment Group, a London-based recruitment firm: 'This is a trend we have noticed for a while, especially with high-end graduates leaving the top UK universities.
By the time they have finished their course, they are savvy enough to realise their business potential and value. We are finding that candidates today are far more selective about which position they ultimately go for, and the "corporate culture" is very much a persuasive factor when coming to make a decision.'
Some businesses have marketed themselves specifically to appeal to this new generation of professionals, with some offering 'duvet days' as an added incentive. In fact, one UK employer hands new starters an iPod Nano that has the company handbook preloaded as a podcast on the device.
So how can HR and IT department's work together to ensure that the organisation remains attractive, while ensuring that corporate security is in no way compromised?
Developing acceptable use policies (AUPs) is the first and most important step when considering the restrictions to enforce on employees' use of technology in the workplace.
An AUP should be fleshed out and driven by the HR and IT departments, and must set clear boundaries for using technology within the workplace. The IT department, however, plays a pivotal role in how an AUP is not only enforced, but how it can impact the working ethos of each individual member of staff.
Once a rigid AUP is finalised, the underpinning security technology should ease the headache for IT security managers who are left to enforce and supervise these policies. The security department itself has its own objectives, which differ greatly from that of the HR department.
The security team is interested in protecting the corporate network and ensuring that no instances of downtime occur, protecting against corporate data leakage, and to ensure that corporate applications are available for intended business functions.
USB - ultimate security breakdown?
The current generation of graduates are perhaps more gadget savvy than any other generation of technophiles. Whether it be music players, USB sticks, digital cameras, the 'iPod generation' represents a significant proportion of the working population.
As these devices are personal in nature, the likelihood of them being carried into and used in the enterprise is a certainty that many businesses are ignoring, mostly because they represent an enormous management headache for IT security managers.
Equally, staff opening viral attachments, downloading files and visiting non-work related websites that introduce malware pose a huge risk. Often, businesses will negate such risks by enforcing a strict policy of no removable media within the enterprise.
White-list technology however, can provide a definitive and reliable solution to all security worries associated with enabling the modern day worker. The white-list approach provides businesses with an opportunity to use USB devices as a legitimate business tool.
USB sticks for example, are now available with 16Gb capacity, and could if needed, provide a vehicle for data leakage or an entry point for malware. Employers can use the flexibility of white-listing to either deny removable media from plugging into the network, or restrict its use to certain times of the day.
Equally, downloaded unauthorised applications (including malware) will be denied the ability to launch and install, as the white-list does not recognise the file as being on the list of applications allowed to run on a PC.
The skeleton key
The way the market is currently directed, USB sticks will eventually become as ubiquitous within the enterprise as mobile phones. In fact, now that 64Gb removable media are available, the options are virtually endless.
Staff could in the near future be given a USB stick which has all the applications needed by the employee pre-loaded and configured to connect to backend business applications once the device is plugged into a PC or thin client on the network.
This device could also be used by staff as a remote token, which opens doors and contains credit for staff to purchase drinks at the vending machine. The possibilities are endless, and need not be a security nightmare.
Considering the competitive recruitment landscape, UK businesses need to differentiate themselves from competitors and promote themselves as modern, cutting-edge organisations that embrace new technology, rather than fear the unknown.
A clearly defined AUP, combined with white-list technology provides a compelling argument for businesses to change their work ethos, improving corporate competitiveness without jeopardising IT security.
http://www.bcs.org/server.php?show=ConWebDoc.9896