Gen Z and Millennials Less Serious About Cybersecurity on Work-Issued Devices Than Personal, According to New EY Consulting Survey

  • Roughly half of Gen Z (48%) and about one-third of millennial employees (39%) admit to taking cybersecurity protection on their personal devices more seriously than on their work devices, potentially putting companies at risk.
  • Gen Z and millennial workers are significantly more likely than older generations to use the same password for both a professional account and personal account and to disregard mandatory IT updates.

A majority (83%) of US employees understand their employer’s cybersecurity protocols, but Gen Z and millennial workers – digital natives who make up a significant portion of the workforce – are least likely to prioritize or adhere to them, according to new data released by Ernst & Young LLP (EY US).

HR Technology News: HireVue Announces Industry First Agile Mindset Assessment To Help Organizations Future-Proof Their Teams

The 2022 EY Human Risk in Cybersecurity Survey asked 1,000 employed Americans about their cybersecurity awareness and practices. Below are the findings:

  • Three-quarters (76%) of workers across generations consider themselves knowledgeable about cybersecurity, but younger generations― who grew up online and have lived with cyber risks the majority of their lives― are significantly more likely to disregard mandatory IT updates for as long as possible (58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers);
  • Younger generations are more likely to use the same password for a professional account and personal account (30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers);
  • Finally, younger generations are more likely to accept web browser cookies on their work-issued devices all the time or often (48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers).

“This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual,” said Tapan Shah, EY Americas Consulting Cybersecurity Leader. “There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise.”

Looking ahead: building a proactive cybersecurity culture

Cybersecurity risks are on the rise as remote and hybrid working environments create an expanded attack surface for hackers and more state-backed actors, and human risk in particular is growing as younger digital natives, who spent most of their lives embracing technology, enter the workforce. US cyber incidents led to at least $7 billion in potential losses in 2021 alone, according to the Federal Bureau of Investigation.

Most of the employee respondents (84%) feel prepared to avoid cybersecurity mistakes at work, but only one-third (35%) feel very prepared. In fact, half or fewer of the employees say they are very confident about how to follow specific cybersecurity practices at work, such as using strong passwords at work (50%); keeping their work devices up to date with cyber protection (43%); identifying phishing attempts (41%); avoiding ransomware (38%); and encrypting their data (32%).

Role- and risk-based education can help improve cyber-safe practices. Respondents who received role-relevant cybersecurity training in the past year were significantly more likely to implement cyber-safe practices at work – including using strong passwords, keeping cyber protection software current on devices, identifying phishing attempts, avoiding ransomware and encrypting data – than employees who had not had any education for more than a year.

HR Technology News: New Proprietary Research From Crosschq Analyzes Quality Of Hire

“Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk,” Shah said. “Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives.”

Shah advises leaders to adopt the following guidance to help employees #BeCyberSmart:

  • Use carrots, not sticks. If employees suspect a cybersecurity breach (e.g., a phishing attempt, compromised passwords), the majority said their next step would be to contact their company’s IT department (81%) or their immediate supervisor (79%), which are typical company protocols. But one in six (16%) would try to handle the situation themselves, which represents millions of workers in the US. A positive, human-centric security culture rewards cyber-safe practices and uses mistakes as teaching moments.
  • Provide cybersecurity education and make it personal. There needs to be a focus on educating the workforce about how to live and operate safely in a digital world. Educate employees about more than security at work. Teach them safe cybersecurity practices for their personal lives and their families. Teach the role-based risks and the consequences, and then give simple, immediately actionable guidance.
  • Understand and interrupt human behaviors. Understand employees’ workflows, identify the moments of highest human risk, and then create interruption points or behavior prompts. The goal of a behavior prompt or technical control interruption is to focus on an individual’s actions to follow the proper procedure to minimize risk.

HR Technology News: HR Technology Highlights – HR Tech Daily Round-Up For 10 October 2022

[To share your insights with us, please write to sghosh@martechseries.com]

cybersecurityemployee remote workErnst & Young LLPHR Techhybrid work
Comments (0)
Add Comment