Younger workers can pose a greater risk to an organization’s cybersecurity than older workers, according to a study released Tuesday by IT security company Ivanti.
Based on a Q4-2022 survey of 6,500 executive leaders, infosec professionals, and office workers worldwide, the study concluded that millennials and Gen Z workers are more likely to have unsafe cybersecurity habits than their older peers. It found:
- 38% of office workers under 40 use the same passwords on multiple devices, compared to 28% of office workers older than 40.
- 34% of office workers under 40 shared work device(s) with family or friends, compared to 19% of office workers older than 40.
- 34% of office workers under 40 use a birthdate in their password, compared to 19% of office workers older than 40.
- 13% of office workers under 40 clicked on a phishing link when targeted, compared to 8% of office workers older than 40.
“Many assume older employees are less tech-savvy — and therefore more likely to engage in risky behaviors,” the report noted. “In fact, the opposite is true.”
“Younger professionals (those under 40) are significantly more likely to disregard important security guidelines when compared to Gen X and older,” it continued. “This is true about performing password hygiene, clicking on phishing links, and sharing devices with family and friends.”
Not only do younger workers pose a risk because of their indifference to cyber hygiene, the study added, but they are also less likely to report signs of potential security threats when encountering them.
It revealed that among workers 40 and under, 23% said they did not report the last phishing email or message they received, compared to 12% of those over 40 who also failed to report.
Older workers don’t have the ingrained familiarity with online technology that younger workers do, so they might have a healthy skepticism and sense of caution when going about their business online, observed Mika Aalto, co-founder and CEO of Hoxhunt, a provider of enterprise security awareness solutions, in Helsinki.
“When you’re talking about Gen X and above, these generations recall the uncertainty around making an online payment in the early days of e-commerce or sending sensitive information over email as opposed to a fax. Sometimes, being overly confident can lead to a careless mistake,” he told TechNewsWorld.
Younger workers can be overly self-assured when it comes to technology, agreed George Jones, chief information security officer with Critical Start, a national cybersecurity services company. “Younger employees often have a lack of awareness and overconfidence in technology, favoring convenience over security, which results in riskier behaviors,” he told TechNewsWorld.
“The tech-savvy nature of the generation can lead to overconfidence in their ability to navigate the digital landscape without taking necessary precautions, such as not reusing passwords or sharing sensitive information online,” he said.
Simulate Attacks To Counter Overconfidence
It is essential for security teams to keep in mind that familiarity can breed carelessness, especially when dealing with more confident users, added Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Educating the more confident group on some of the more clever attacks that may take advantage of this confidence can help the younger groups understand just how easily some of the bad actors can ease their attacks into the normal daily work routine if the employees are not being careful,” he explained.
“Simulated attacks, such as simulated phishing campaigns, can really drive this home, especially when someone who is confident in their ability to avoid falling for a ruse finds themselves being tricked,” he observed.
An Element of Ennui
Younger workers have also experienced technology differently than their older peers, maintained Tom Molden, CIO of Global Executive Engagement at Tanium, a provider of converged endpoint management in Kirkland, Wash.
“Technology has advanced so rapidly in the past five to 10 years that we have a generation of younger people in the workforce that have never experienced the evolution of technology in the same way that many others have,” he told TechNewsWorld.
“With a constant wave of new innovations and an onslaught of new ways to leverage technology, it’s hard to imagine someone having the time to focus on fundamentals,” he said.
Molden pointed out, for example, that someone writing code today is typically using building blocks created by someone else and assuming they’re secure. That contrasts with an older software writer who wrote their code from scratch and had to learn about how to think about securing their code.
There may also be a certain amount of ennui among younger workers about the realities of online life. “Speaking for myself as an early-internet-adopting GenXer/Xillenial, I assume that my data has been compromised beyond the breaches for which I’ve received notifications,” confessed Karen Walsh, CEO of Allegro Solutions, a cybersecurity consulting company in West Hartford, Conn.
“To many of us, compromised data is a fact of life more than a potential future risk that can be prevented,” she told TechNewsWorld.
“This fatalistic approach impacts our online activities,” she continued. “If we feel that nothing we do matters because attackers will steal our data or companies will become a point of failure, then taking extra security actions feels inefficient while remaining ineffective.”
Gender and Seniority Impacts
The study also noted that gender and seniority can impact the collective strength of an organization’s security as a whole. For example, the researchers found that men and leaders are more comfortable contacting a security employee with a question or concern — with leaders at an organization the most likely to reach out with a question at 72%.
By contrast, the study discovered women are less likely than men to do the same. Twenty-eight percent have contacted a cybersecurity employee with a question or concern, compared to 36% of men.
“It’s interesting to note that men and leaders are more comfortable approaching security personnel. This suggests that there may be an unintentional bias or a cultural barrier that makes others feel less welcome,” observed Roger Neal, head of product at Apona Security, a software security tool maker in Sacramento, Calif.
“To address this,” he told TechNewsWorld, “organizations could consider implementing a common, user-friendly portal for reporting cybersecurity incidents.”
“Such a portal would democratize the reporting process, making it accessible and less intimidating for everyone, regardless of their position or gender,” he continued. “This inclusivity can lead to a more comprehensive and effective cybersecurity strategy.”
Adapting Cybersecurity Training for a Diverse Workforce
This survey appears to validate the hypothesis that there is no ‘one-size-fits-all’ approach to cybersecurity training and culture, noted Debrup Ghosh, a senior product manager at the Synopsys Software Integrity Group in Sunnyvale, Calif.
“Business leaders need to adapt their cybersecurity training based on the demographics of their employees and solicit feedback from them on how to make the training more effective instead of just ticking a box and moving on,” he said.
“Additionally,” he said, “cybersecurity training must account for diversity and inclusion practices as part of the delivery method to ensure that all employees –regardless of age, gender, religion, or other preferences — feel included in the process of instilling sound cybersecurity practices throughout the organization.”