The next generation of employees is demanding a more flexible approach to bringing their own IT devices to work, but what are the risks?

Recent research suggests that an increasing number of young employees knowingly flaunt IT policies, potentially compromising corporate information security, but it has been claimed that the draconian measures that some organisations put in place to reduce this threat only serve to drive away talent and hinder innovation.

The Cisco 2011 Annual Security Report surveyed close to 3,000 university students and young professionals globally to garner the attitudes and expectations of the world's next generation of workers, as well as how their demands for information access are affecting IT risk management practices.

One of the key findings was that 81% of the university students surveyed believe that they should be able to choose the devices they need to do their jobs – either by having their employers pay for them or bringing their own personal devices to work.

Almost three quarters of respondents also believed that they should be able to use these devices for both business and personal reasons, and 77% of surveyed employees had multiple devices in use – such as a laptop and a smartphone.

The demands of the next generation of employees to be able to use multiple devices for both professional and personal uses raise significant security risks, but Nasrin Rezai, Cisco’s senior director of security architecture and chief security officer for the Collaboration Business Group, believes that organisations will need to embrace these demands and manage the risks accordingly if they are to thrive in the twenty-first century business environment.

“Today’s IT departments need to enable the chaos that comes from a BYOD [‘bring your own device’] environment,” said Rezai. “This doesn’t mean accepting high levels of risk, but being willing to manage some risks in exchange for attracting talent and delivering innovation. It’s about moving to a world in which not every technology asset can be managed by IT.”

The risks that need to be managed revolve in no small part around the attitudes of young people to IT protocols. Worryingly, seven of ten employees surveyed admitted to knowingly breaking IT policies on a regular basis, and three of five believe they are not responsible for protecting corporate information and devices.

The most common reason found for employees choosing to knowingly break company IT polices is the belief that they aren't doing anything wrong (33%). This was followed by the need to access unauthorized applications for their jobs (22%), lack of enforcement (19%), lack of time to think about policies (18%), inconvenience of adhering to policies (16%), and forgetting to do so (15%).

The Cisco report, however, believes that – rather than tightening IT restrictions and their policing – forward-thinking organisations are simply going to have to adapt to the realities of BYOD and incorporate this culture shift into their risk management strategy.

“Unsurprisingly, many enterprises are questioning the impact of technology innovation and flexible work habits on corporate information security – and sometimes, take the drastic step of banning devices or restricting access to web services that workers say they need (and do need, in most cases),” notes the report.

“But organizations that don’t allow workers this flexibility – for instance, allowing them to use only a given company-owned smartphone – will soon find they can’t attract talent or remain innovative.”

The report also suggests that there is also a business case to be made for allowing the BYOD environment to survive, with two of five respondents saying they would accept a lower-paying job that had more flexibility with regard to device choice, social media access, and mobility over a higher-paying job with less flexibility.

Questions remain, however, as to whether the cost implications of implementing a BYOD risk management strategy are outweighed by the associated potential savings in staff salaries.