Millennials Changing the Face of Information Technology


As the workforce changes over the next five years, Millennials will represent 40% of the total working population . The methodologies and processes used to manage IT services today will not necessarily work tomorrow, and as managers and service providers we must evolve to accommodate the changing face of the workforce, as well as the IT delivery model.

One of the largest generational shifts that the workforce

is currently experiencing is that Millennials prefer not to be held to the traditional shift model and are drawn toward opportunities that promote a healthy work/life balance or integration and schedule flexibility – including the ability to work from home.

Intelligence group studies of Millennials found that:

  • 64% of Millennials say it’s a priority for them to make the world a better place.
  • 72% would like to be their own boss… But if they did work for a boss, 79% of them would want that boss to serve more as a coach or mentor.
  • 88% prefer a collaborative work-culture rather than a competitive one.
  • 74% want flexible work schedules.
  • 88% want “work-life integration,” because work and life now blend together inextricably.

The challenge is a catch-22 for most IT departments. The end-users that fall into the Millennial age-range tend to expect 24x7x365 availability to support services to accommodate flexible work schedules and work-life integration. The workforce is shifting from scheduled based to task based; meaning Millennials do not want to be held to the traditional 9 to 5 model, but rather a task based model that holds them responsible for a deliverable, but not within the parameters of a traditional work schedule. Add in the desire to work anytime anywhere, as well as the interconnectivity and globalization of today’s business markets, and it’s not uncommon for employees to be working non-traditional and sometimes seemingly random hours throughout the day and night. Because of this, most IT departments are challenged as their workforce is increasingly made up of Millennials expecting the same flexibility and work-life integration.

How does the modern IT department address these changes? There are a few approaches but fundamentally your start with recruiting and finding the right people. Employees need to be willing to work as a team, take ownership of their individual projects, and contribute to the overall mission and goals of the department. IT departments tend to focus on skill sets rather than personality traits such as dynamics, character, and capacity. When all things are equal, however, a successful employee will exhibit strong social attributes.

Companies should also work to ensure that their employees are on a path of success. Putting people in the wrong position or not providing a growth path will lead to unhappy employees and a high turnover rate. A perfect example of this would be regularly assigning desktop support tickets to a system administrator – eventually, this individual may feel as though they aren’t being challenged enough and they may seek employment elsewhere. Mentoring and coaching is also critical to employee satisfaction and retention, and is time well spent. Millennials tend to respond well to leaders who will facilitate, rather than dictate, and who emphasize collaborative management versus directive management. Again, Millennials want to feel that they are part of the process and their input is important and counts.

Once your organization has hired the right people how do you integrate them into a rapidly changing deliver model? Start by looking at the model itself and transforming it. As more and more services move to the cloud, there is an opportunity to shift the delivery model to ITaaS (information technology as a service). This model shifts the focus from onsite services to cloud based services which results in increased up time, better overall performance, and less backend support, thereby allowing IT departments to focus on the end-user versus the infrastructure systems. ITaaS models also allow support staff to be flexible and remote, which is top on the list of what Millennials are looking for. By design this model reduces not only the advanced skill level required to maintain the backend infrastructure but the workforce itself (this also holds true for SaaS services; however, IaaS requires the same level of support and expertise).

There will, of course, be organizations that cannot transform their delivery model to align with Millennial expectations, for example an organization that provides outsourced IT as a Managed Service Provider (MSP). An MSP can replace or supplement and existing IT department with some services including on-call, after-hour support, as well as the technical expertise needed for backend support. As more and more companies move to a hybrid cloud solution, a hybrid staffing solution utilizing an MSP to supplement staffing, will allow for complete coverage solutions that provides Millennials with the opportunity to meet their expectations both from a staff and delivery model.

Key Take Always:

  • Find the right person, fit is more important than skill set
  • Be flexible with working hours and days, change from hour based to task based when possible
  • Transform the delivery of service, moving to an ITaaS model whenever possible. This model fosters collaboration and terns an IT department into a provider of services
  • Empower staff to make decisions, Millennials what the opportunity to lead and not just follow
  • Mentor versus manage your employees
  • Outsource to supplemental support services, this could be the high-level skills set or remote support

Shadow IT, Powered by the Cloud The Good, the Bad and the Ugly


Although traditional threats – such as rouge access points, removable media, unauthorized printing, etc., – still exist, one of the most prominent new IT threats is the cloud itself and the emergence of what is being referred to as Shadow IT. Shadow IT refers to IT devices (such as USB drives and external hard drives), software, and services outside of the control and ownership of an organization’s IT department. It’s been around as long as IT departments have been providing services, but as technology has transformed and evolved so have the threats and risks that Shadow IT presents.

Shadow IT, unfortunately, presents a difficult challenge for most enterprise IT departments to manage and is almost impossible for the average SMB. With the explosion of smart phones, tablets, apps, and Internet-based services such as OneDrive, Gmail and others the threat of Shadow IT is imminent and real. In the majority of cases, these risks come to light due to a desire for convenience and efficiency, notintentionally malicious behavior – although even the most innocent behavior can put company data and resources at risk.

As “Millennials” begin to enter the workforce, they bring high expectations for their working environment that includes a work-life integration and the ability to work anytime and anywhere. The reality is that these employees will find a way to enable themselves to do their jobs on their terms regardless of whether the IT department deploys safe, proven solutions. They do this by taking actions like downloading items to work on at home to a USB drive or sending documents to themselves via their personal cloud-based email address so that they can access them at another location. With every staff member – from HR to marketing – working independently of the IT department and using various applications to store, sync, and share content, the company incurs significant risks for data loss and possible legal implications.

Areas to consider when dealing with Shadow IT:

  • Storing protected information on a cloud service that is located outside your country of origin. This is a regulatory nightmare both in the US and EU/UK
  • Protected information being stored on an untrusted service.
  • Unreported data breaches or losses (lost USB device, stolen laptops, or compromised data storage)
  • Loss of control of data and resources. This is a common problem; a department will move data to an outside service and not notify and/or discuss with IT.
  • Employee separation, not fully understanding what access the employee has. Moving data to the cloud empowers the employee to manage the data even after the employee has left the company.

Some quicks statistics from Cisco:

  • 80% of end users use software or services (cloud) not officially cleared by their IT
  • 83% of IT staff admit to using unsanctioned software or services
  • Only 8% of all enterprises know the scope of Shadow IT risks within their organization

These threats are real and increasing every day, however they’re not impossible to mitigate. As with any risk assessment, you need to identify the threat and what the associated risks are with those threats. Below are simple steps that can be put in place without conducting a formal risk assessment, which is always advised. Risk assessments don’t need to be a long drawn out process, in many cases, they can be done in a few days for the average small business.

Reduce the Risk: The Human Factor

  • Start off with a written security policy that addresses Shadow IT and the use and management of company data and resources. This is the first place to start, you cannot hold employees responsible if they are unware of the risk and associated policies.
  • Educate; if an employee is unaware of their responsibility then you cannot expect them to understand how to identify, manage, and avoid risks when dealing with company data.
  • Listen to employees and department managers. If employees are working outside the scope of currently available tools that IT has provided, there is a reason for it. Understanding why they’re taking such actions helps identify a solution that meets everyone’s needs.

Reduce the Risk: Technical Controls

  • Deploy a next generation firewall that can block applications such as OneDrive, Gmail, Dropbox, etc. In a business environment, the need for public services such as email and storage is not needed. If an employee cannot access these services, they won’t be tempted to use them.
  • Review firewall logs and evaluate what people are accessing. Insight into the habits of the end-user is key to identifying and blocking unauthorized services.
  • Deploy advanced end-point controls (AV) to block removable media, restrict access to web sites and services, as well as blocking attachments to public mail services. These are some of the controls found in most end-point protection clients, not to mention anti-virus and malware software.
  • Deploy device management software such as Microsoft Intune, which allow a business the ability to inventory (looking for authorized applications), patch, and push applications to ensure systems are up-to-date, as well as restrict data transfer and employ selectable wipe data as needed.
  • Block external access to unapproved devices to corporate data. For example, if you are using Office 365, block access to things like email, OneDrive, SharePoint, etc.
  • Force Multi-Factor Authentication to access resources. This ensure people cannot access data without the proper credentials, and increases security against cyber-threat.
  • Take the position of deny by default. This means securing the data and only granting access as needed. Take this philosophy and apply it to cloud computing, internet access, and mobility.

The goal is not to prevent people from doing their jobs, it’s to ensure the data is safe and maintained. Leveraging cloud services can help the average IT department to provide a highly available, secure computing environment and should be embraced.

Why the NSA and Hackers Love Amazon Echo and Google Home

A quick three minute video
Echo and the NSA

Voice Active IoT Collects Too Much Information, Including Your Voice Biometric

This year’s hottest IoT devices are the personal assistants from Amazon and Google. These devices connect to your wireless network and within minutes are communicating to Amazon or Google to provide an unprecedented level of service… which is exactly the problem.

As a rule, IoT devices lack security and these are no different. Unlike other IoT devices, these personal assistants compromise your security in even more ways they you may think. In general, most users don’t read the Terms of Service (ToS) associated with IoT devices or software being installed. Users have a basic understanding that Amazon and Google will maintain your profile information, such as what music you listen to, when you turn off your lights, or even the coffee you order, in an effort to provide a better over-all experience. Over time these devices learn your preferences; the more intuitive and responsive the device, the more we tend to use it.

What is more alarming is what you don’t think about when using these voice activated devices including those from Apple and Microsoft. There has been a lot of discussion around the security and privacy of these devices over the past few months. One of the biggest concerns is the question of whether the devices are always listening. Both Amazon and Google say the devices listen for hot words that activate them, such has Hello Google or Echo/Alexa, but because these devices are controlled by and interact with by Amazon and Google, the hot words and or the device itself can be easily manipulated to allow for an always on “listening mode” by the vendor at any time by the way of a crafty term of service:

Amazon: In order to keep the Amazon Software up-to-date, we may offer automatic or manual updates at any time and without notice to you.

Google: When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available…

In addition to the vendor maintaining access to the device, it isn’t unfathomable that cyber-criminals could gain access as well. These are, after all, IoT devices and are just as vulnerable to being pwnd (geek speak meaning owned/or controlled) as any other IoT device. Both devices have indicators when they are in listening mode, however this can be easily disabled by a hacker. A hacker could be listening to your every word and you would not be aware. This, however, is not the most alarming part of the story. These devices and associated services keep track of your likes and dislikes, what you purchase, what you listen to as well your location and your voice patterns (biometrics). That’s a lot of information to freely turn over to a private company.

Oddly, we protest about government surveillance programs such as PRISM in the US and GCHQ in the UK – programs that are designed to protect a nation and its citizenship, but we freely give more identifiable information to private companies for the benefit of playing music, getting traffic reports, and ordering coffee.

Now that Amazon and Google has all your information what do they do with it, or what can they do with it?

Amazon Terms of Service

Voice Services: You control Alexa with your voice. Alexa streams audio to the cloud when you interact with Alexa. Alexa processes and retains your voice input and other information, such as your music playlists and your Alexa to-do and shopping lists, in the cloud to respond to your requests and improve our services…

Business Transfers: As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise)…

Google Terms of Service

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content…

Based on the terms of service, these vendors can sell or use your personal information including your voice biometrics, which is alarming. If this information could theoretically be stolen or transferred to a governmental agency, such as NSA or GCHQ. The NSA surveillance programs collect communication data globally, if you were to combine the data they already gather with voice biometrics from Amazon, Google, Apple, and Microsoft they would now be able to identify users and locations with much greater accuracy.

Unlike the majority of IoT devices where threats can be mitigated, these voice command devices such as the Echo or Google home are designed to capture information including voice biometric and cannot be mediated. You must rely on the vendor (Google and Amazon) to keep your data secure and hope it’s not stolen or shared with any governmental agency which, unfortunately, there is no guarantee of that.

If you use these devices you must accept the risks. These risks are increasing every day with every use of Siri, Cortana, Echo, and Google home, and the risks are significant.

Update 12/28:

Arkansas PD requested informaiton from Amazon regarding Echo and voice records. Amazon twice refused the requests from Bentonville law enforcement. Amazon said: “Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.” What this is saying is get a proper subpoena and we will provde the information.

A couple of great fiction books that aren’t too far from the truth and put things in perspective are Digital Fortress by Dan Brown and The Shadow Factory by James Bamford and Data and Goliath by Bruce Schneier. These books were written in 1996 and 2009 and 2015 respectively and are still relevant.

AI, self-driving cars and cyberwar – the tech trends to watch for in 2017

by: Alex Hern

In some ways, tech in 2017 will be a steady progression from what came before it. Time marches on, and so too does the advance of technology. In other ways, though, it will be just as upended as the rest of the world by the unprecedented disruption that 2016 has left in its wake.

Here are the trends to watch out for in the coming year:

More AI, less data

The artificial intelligence revolution is well and truly upon us, but so far, the biggest players are venerable Silicon Valley titans such as Google, Amazon and Apple. That’s partially because they have the money to hire teams full of PhDs at seven-figure salaries, but it’s also because they have the data.

That could change. One of the key areas of research for 2017 is data efficiency: the problem of trying to teach machine-learning systems how to do more, with less. Think about how many times your average three-year-old needs to see a particular animal before they can correctly identify it, compared with the thousands of images a neural network needs to ingest to perform the same basic task.

Solving the problem of data efficiency could dramatically open up the industry, letting new startups compete on a level playing field with those who have access to petabytes of customer data. And it could also change what an AI can do for you, letting an assistant become far more sensitive to your personal quirks and foibles, or a photo-tagging service recognise specific locations, objects, or situations.

Mostly-self-driving cars

Self-driving cars exist on a scale. At one end, you’ll find technologies that are barely more than fancy cruise control: lane-assist features ensure your car doesn’t drift out of lane, while adaptive cruise control will maintain a steady distance from the car in front. At the other end is full automation: a car that can drive from a parking space outside your house to a parking space outside your office with no-one touching the steering wheel, or even sitting in the car at all.

The story of 2017 will be car companies racing almost all the way to that final hurdle, but just stopping short. Not only the tech companies, either (although expect Tesla’s own models to lead the way, closely followed by Google’s sister company Waymo’s alliance with Fiat Chrysler). Conventional manufacturers the likes of Nissan and BMW are jumping into the field with both feet, and their systems will only get smarter. And who knows what Apple’s plans are?

But don’t expect anyone to make the difficult jump to full self-driving capability any time soon. Not only are the regulatory and liability hurdles immense, but the tech just isn’t there for the vast majority of journeys. There’s a reason Google tested its first ever fully automatic trip in Texas, land of wide lanes, huge highways, and car-centric development. Drop that car in the middle of a busy London backstreet and it won’t do so well.

The big question is whether all this automation will actually make things safer. On the one hand, cars don’t get distracted, drunk, or tired, all of which lie at the root of most fatalities on the road. On the other hand, if people are told to supervise a car which mostly drives itself, they tend not to be prepared to take over if it actually does need assistance – a problem that lay behind the first self-driving fatality in May.


Let’s not mince words: cyberwar has already begun. If it didn’t start in 2008, when (probably) the Israeli and US intelligence services used the Stuxnet virus to destroy Iranian nuclear centrifuges, and it didn’t start in 2015, when the US Office of Personnel Management was hacked by (probably) China, stealing the personal details of millions of government employees, then it certainly started in 2016, when (probably) Russia hacked in to the Democratic National Congress, exflitrating emails which were released with the intention of altering the outcome of an election.

Those “probably”s expose part of the appeal of cyberwar for nation states: attribution is hard, and rock-solid attribution to not just a nation but a chain of command is almost impossible. The incoming US administration is already making aggressive overtures about its desire to get on the attack, which will inevitably also make it a bigger target, according to security expert Hitesh Sheth, head of cybersecurity firm Vectra.

“US businesses and the US government should expect an increase in the number and severity of cyber-attacks, led by select nation states and organised political and criminal entities,” he says.

The ghost of Christmas data breaches past

It feels like data breaches are everywhere. But that’s often not the case; while companies are indeed compromised on a regular basis, modern security practices usually ensure that not much is stolen, and what does get taken isn’t easy to exploit.

Instead, the more dangerous trend is old breaches surfacing, like an unexploded second-world-war bomb, to wreak havoc on the present. That’s what happened to Yahoo, twice in one year, when data breaches from 2013 and 2014 resurfaced. The breaches were huge, containing a billion and half a billion accounts respectively, and the information within them was barely secured. Passwords were obfuscated with a standard which has been known to be insecure since 2005, while other info, including security questions, was in plain text.

Because data breaches can happen undetected, fixing your cybersecurity in 2016 isn’t just locking the stable door after the horse has bolted; it’s locking the stable door without even realising the horse made its escape years ago.

The information in historical breaches has often been traded on the darknet for some time before their existence surfaces, meaning the damage comes in two waves: first, slowly, and then all at once.

Meet eSports, the new sports

Competitive video gaming is a huge business. In 2016, investment bank GP Bullhound estimated it hit a global audience of over 250 million people, and amassed a total annual revenue of $493m – and in 2017, that’s predicted to more than double, making eSports a billion-dollar sector.

The scale of the eSports industry is down to a number of factors, from increased broadband penetration making online multiplayer gaming accessible to most of the world to online streaming allowing budding eSports stars to skip conventional media and go straight to their fans.

But it’s now big enough to warp the very industry that spawned it, with major games publishers courting the eSports community from the inception of their latest releases. Blizzard, a Californian company best-known for its online game World of Warcraft, has been one of the leaders in the field, with games including Heroes of the Storm, Overwatch and Hearthstone all having online viewerships in the millions, but the standout success is Riot Games, whose sole title League of Legends had more viewers in its 2015 world championship than the final game of 2016’s NBA Finals.

GP Bullhound says the next big wave is going to come from mobile, with games like Clash Royale and Vainglory representing the fastest growing segment of the global $37bn games market. Of course, this might all pass you by: over half of eSports fans are millennials, by far the youngest skew of any group of sports supporters.

The great privacy divide

The world’s most advanced surveillance operation will shortly be under the direct control of a far-right demagogue who routinely attacks critics on social media and uses the office of US president-elect to bolster his commercial interests. That has left some people worried.

As a result, many are re-examining their online privacy, switching to encrypted messaging services, locking down social media accounts, and limiting the amount of information they put online. Signal, an encrypted messaging app recommended by Edward Snowden, saw a huge spike in downloads following Donald Trump’s election, while hundreds of tech workers signed a pledge to never implement the president-elect’s proposed registry of Muslims.

At the same time, though, trends in AI and online monetisation have pushed other tech firms to slowly chip away at the amount of privacy their users have, data-mining ever more aspects of their online lives in an effort to offer better services and create smarter software. Google, for instance, will now train a machine-learning system on your photos, read your emails to find useful information to add to your calendar, and save everything you say to it to improve its voice recognition.

Over 2017, this divide will only increase: companies like Apple and Signal on the one side, and Facebook and Google on the other. In the end, the market will decide. Are people willing to give up the latest and greatest fruits of machine-learning to limit their exposure to surveillance, or do they not really care about online privacy and want everything as soon as it’s technologically possible?

Chinese tech goes west

The likes of Foxconn may build the world’s most premium tech, but in the west, Chinese brands are still largely associated with cheap electronics: no-name flat panels and cheap smartphones that spy on you. As for software, the entire country can feel as if it’s seen through analogues to Silicon Valley, from “China’s Google” (Baidu) to “China’s Twitter” (Sina Weibo).

But an increasing number of Chinese companies have their eyes set on the richer markets of Europe and America, without giving up on the customer base in their own country. Shenzhen-based OnePlus, for instance, has slowly carved out a niche for itself with its high-quality, low-price range of smartphones, which aim to match the flagships from Apple and Samsung while offering price-sensitive users savings of hundreds of pounds. Huawei, already a fairly well-known brand in the west, is pushing its Honor brand as a way to drop the budget image for a new demographic.

And software firms are getting in the game too. Tencent, makers of WeChat (that’s “China’s WhatsApp”, for those playing along at home), is pushing hard into the west, taking on Facebook at its own game. The service is currently most popular with Chinese expats, but it’s clear that Facebook is watching closely: a number of features in Messenger are ripped wholesale from the hugely influential service.

The Internet of Things (IoT): The Single Biggest Risk to Your Privacy


According to Gartner, by 2020 there will be 20.8 billon devices connected to the Internet. To provide a bit of context, the U.S. population is 318 million, and the worldwide population is 7.5 billon, which means there will be roughly 3 devices per every 1 person on Earth. These devices include everything from smartphones to home automation tools to cars, and everything in between – all connected to the internet and accessible.

Historically, one of the biggest threats to security has been ease of use and conveyance for the end-user, which has never been more true than it is right now in relation to deploying consumer devices connected to the Internet of Things (IoT). Consumers devices make up the single largest segment of IoT devices and because of that, plug and play, ease of use, zero configuration devices are in high demand and manufactures are listening. Ease of deployment has, unfortunately, resulted in in a huge lack of proactive security measures including patching vulnerabilities within firmware or operating systems which renders most devices connected to the IoT exploitable.

Alarmingly, it isn’t very difficult to find IoT devices that are connected and available for access. Utilizing search engines like Shodan you can quickly create search for IoT devices such as web cameras, routers, firewalls, and smart TV’s, and determine their locations. Many of these devices are using default user names and passwords which can also be easily discovered with a quick internet search.

Due to this lack of security and ease of identifying vulnerabilities, exploits and locations, individuals are at risk of being targeted which, surprisingly, doesn’t seem to be a huge concern among consumers. A recent survey of 2,000 households found that 66% of consumers are more concerned with the price of their devices rather than the privacy and security features they may offer. As more of these devices are being deployed in households the risk of a security/data breach increases.

Protecting your IoT devices not only protects your privacy but protects the privacy and security of the entire Internet community. Compromised devices can become infected with malware and become part of a large army of botnets used to attack other users or services on the Internet. A recent attack on the infrastructure of the internet cause an large scale outage that lasted hours. Users and manufactures have a responsibility to secure and protect the devices that are attached to the internet.

Until manufactures build higher levels of security into these devices, there are some easy measures that can be taken to secure your IoT environment:

• Evaluate whether your device has to be connected to the Internet. Just because it can doesn’t mean it’s necessary 100% of the time.

• Change the default user name and passwords that your device came equipped with. If this is not possible, do not deploy the device.

• Create a separate network for these devices. Putting your IoT devices on a separate network from your computes and files will allow your IoT devices access to the internet, but not the primary network that stores your private information.

• Disable universal plug and play (UPnP). This protocol makes it easy to deploy devices, however it’s also a large security risk as these devices could be discovered beyond your local network.

• Make sure you can update the firmware. If this is not possible do not deploy the device. Updating firmware is critical and should be done regularly as updates fix vulnerabilities within the software (firmware) that controls the device.