There is a common belief that those under 30 (millennials), who have grown up with technology, have a better understanding of cybersecurity. The latest research from NTT Ltd challenges that view showing that age is no barrier to poor cybersecurity. The report comes from data gathered earlier this year from the NTT Risk:Value 2019 report.
According to Matt Gyde, CEO, Security, NTT Ltd: “It’s clear from the research that the workforce has a very different approach and attitude to cybersecurity, depending on age. Businesses must transform their approach to security if they are to engage all generations. Most important is ensuring that employees understand that security is everyone’s business, and isn’t simply a role for IT, as has been the case in the past.”
Making security everyone’s responsibility sounds good but assumes that the training and education put in place reinforces that. It also places a lot of emphasis on cybersecurity policies that are flexible and understand the reality of the situation. In too many organisations the approach to a security incident is severe. There is no simple way to report a concern or mistake. To avoid repercussions, employees often try and cover up or ignore
Gyde goes on to recognise these problems saying: “Different generations use technology in very different ways and business leaders need to recognise that strong cybersecurity practices for all generations within the business is an enabler and not a barrier. Security leaders should make themselves more approachable and talk the language of business, not IT. Education is also fundamental to change in cybersecurity behaviour, so make the learning process interesting and relevant to all generations in the workforce.”
Which generation is the most cybersecurity aware?
The research looked at 17 different criteria to identify good and bad cybersecurity practices. Each of the criteria was assigned a score to represent those who were using the best practices. The results showed:
- under-30s score 2.3
- 30-45-year-olds score 2.9
- 46-60-year-olds score 3.0
Taking these numbers at face value raises the question of what has happened to the golden generation? Millennials have grown up with technology. They have had access to computers, mobile phones and digital devices for their whole lives. As such, it is generally assumed that they are the most IT literate members of the workforce. However, IT literacy does not necessarily mean that they are the most digitally secure.
Digging into the responses for this report shows how complacency and a lack of business awareness are key to the low scores. However, like any survey, there are a number of outliers that prove the exception.
What do millennials expect and fear?
Familiarity with technology is a key strength of the millennials. Their general awareness of what technology can deliver means that they expect it to help improve their productivity. This means that if the enterprise doesn’t deliver the apps they want, they will go and get them. It is a pragmatic approach, but one that is not necessarily without risk.
An example of this is ransomware. For many businesses, the approach is not to pay, although that is changing. The FBI recently changed its advice saying that it could see circumstances when a business would pay. Millennials see ransomware attacks as a transactional problem. If paying the ransom gets the business up and running, 39% say that would have no problems paying.
It is not just ransomware that shows a pragmatic approach. When it comes to recovering from cyber attack, they believe that current recovery times take too long. It is possible that this faster time to recovery is due to a world view that technology is simply a tool to be used.
Age and experience make a difference to a degree
That pragmatism does not manifest itself when it comes to cybersecurity and behaviour. The research shows that cybersecurity has no relevance to this age group. They are clearly not willing to play their part in the idea that everyone has a role to play when it comes to securing the enterprise.
The data also shows that age and business experience have a significant part to play in cybersecurity. Older age groups are willing to share the responsibility. They are also more aware of what to look for and what to avoid.
That said, the data did not seem to look at the impact of phishing attacks on the business. Business Email Compromise often targets people who have access to corporate funds. This is often likely to be senior members of accounts departments as they have the authority to make emergency transfers.
Detailed analysis shows a different story
View this data through the lens of vertical industries and it paints a different picture of millennials. Technology, finance, manufacturing, pharmaceutical are just some of the industries where the millennials score high in terms of cybersecurity best practice. It is easy to think of this as being the result of structured environments with proven processes.
Look deeper into the data and that is not the case. Millennials score higher than older age groups. This suggests that when you combined structured processes, education and support with digital intimacy, you get the best out of people. This is not just about how they perform on a daily basis. The data also shows that across government and public sector, millennials are setting the agenda for cybersecurity best practices.
The impact of culture, country and government practices
When the data set is looked at from an international level there are other lessons to be learned. Millennials in France and Brazil shine as cybersecurity leaders. The report authors believe that this is down to decisions at a national level to establish cybersecurity training in schools. These are also countries that have invested heavily in education around the use of technology.
That education at school means that millennials enter the workplace more digitally aware than their older colleagues. In some countries where technology has been embedded into business for decades, this makes no difference. Where technology has been slow to be adopted, either through economic issues or national approaches, that digital gap is a problem that will take time to close.
Cybersecurity best practice in a multigenerational workforce
NTT has provided a set of six steps that organisations can take to improve their cybersecurity across the whole workforce. They are:
- Security culture must include all generations and be supported by a diverse range of employee champions, which includes age.
- Build a panel of younger employees and listen to their views on cybersecurity.
- Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business.
- Make cybersecurity everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events.
- Where skills shortages are most acute, support learning programmes, mentoring and consider external support.
- Education is vital. Gamify security learning and make it fun for all.
Enterprise Times: What does this mean
Reports looking at the challenges facing the workforce when it comes to technology are not uncommon. Most tend to focus on the lack of general awareness of older employees, often stopping just short of calling them luddites. This report has taken a different focus and looked at concerns over cybersecurity.
What the data shows is interesting yet, in some ways, what we should expect when looking at businesses. This includes:
- Millennials will choose the right technology for the job irrespective of whether it is approved.
- Building and delivering cybersecurity education is not easy.
- Policies must be understood across the business and fit for purpose.
- Being comfortable with technology and all it brings.
Enterprises are continuing to invest heavily in cybersecurity. Some are even paying serious attention to delivering real education to the workforce. The challenge is how to tune that education to different age groups if it is to be effective.