CISO Guide: Are you considering Gen Z employees in your cyber awareness programme?

58% of Gen Z-ers will ignore software and hardware updates

If a generation is born and raised in an era of technological marvels, if their playtime involved iPads and laptops and their major interactions are digital by nature, you might think they know how to stay safe and secure online.

However, multiple new reports suggest that Generation Z employees are actually more likely to fall for a cyber attack than older employees due a lack of cyber apathy and an overall desensitisation to cyber attacks.

It is precisely because Generation Z are accustomed to digital actions and cyber behaviours that they believe they do not need to worry about the constant cyber risks they will face.

Considering more Gen Z-ers are entering the workforce with each passing year, fresh innovative approaches need to be taken to undo the apathy this generation holds for cyber security. For any CISOs, DPOs, and security leaders hiring Gen Z employees, you will need to consider how you educate this generation on cyber threats and the ramifications of a breach.

What do the statistics tell us?

Because Gen Z-ers are equally fluent in their real-life spaces and digital spaces, they believe they can recognise cyber threats and even believe they know how to adequately deal with one.

According to Comcast’s Xfinity Cyber Health Report, a study on risky online behaviours in the US, 70% of Boomers (born between 1945 and 1970) admit to unsafe behaviours. On the other hand, 87% of Gen Z (born between the mid-1990s and the early 2010s) admit to unsafe behaviours online. The report then details that Gen Z, when compared to all other age demographics, registered the lowest awareness of common threats such as phishing and malware.

A recent survey by EY Consulting also reveals that younger, digitally native, workers were significantly more likely to disregard mandatory IT updates for as long as possible. 58% of Gen Z-ers will ignore software and hardware updates when compared to 15% of Boomers.

The same survey also reveals that 1 in 3 Gen Z employees will use the same password across their professional and personal accounts compared to only 1 in 5 Boomers. We all know it takes just one personal account to be hacked for a threat actor gain access to professional accounts!

These statistics should be ringing loudly for security leaders, CISOs and DPOs across the world and across every industry. The vast majority of cyber breaches can be traced back to an individual human error. If you are neglecting a massive demographic in your workforce, you will be widening the size of the attack surface for cyber criminals.

There is an immediate need for organisations to focus their cyber security programme for every demographic in the workplace, especially Gen Z-ers.

Gen Z employees are lax with cyber security

You can be forgiven for thinking a generation raised in the digital age would be savvy with cyber threats. In truth, their tech influenced childhoods have made them apathetic to cyber risks and desensitised to the various potential attacks.

• Gen Z do not care about privacy: In F5 Lab’s survey of Gen Z’s cyber security behaviours, they found that 20% of Gen Z-ers do not want more privacy online with 68% of Gen Z-ers believing that nothing or almost nothing is private online. 64% of Gen Z also see no problem with companies collecting their information. A generation that has willingly sacrificed its privacy because it believes this is the way to behave online is the common cyber criminal’s dream.

• Gen Z blur the line between professional and personal security: A major reason for lax cyber security behaviours with Gen Z-ers is their inability to separate the professional and personal circles. Thomas Skill, Chief Information Officer, University of Dayton, has found that Gen Z employees like to bring their own devices to the workplace and are willing to trade security for personalised experiences. Furthermore, EY states that 48% of Gen Z employees admit to taking cyber security protections on their personal devices more seriously than their work devices. This is a major problem and worry for organisations that need to make sure their data and network is only accessible on secure devices. To solve issues like this, security leaders need to play with the lack of separation between personal and professional for Gen Z-ers; if you can successfully change their personal security behaviours, they will transfer the new learned behaviours to the workplace.

• Gen Z are not educated on online safety: Worryingly, the F5 Lab’s survey also goes on to state that 60% of Gen Z-ers said they have not received “education about safety online”. JISC also released data revealing that Gen Z-ers do not get as much cyber security awareness training from higher education anymore. The data reveals that only 3% of Gen Z-ers in higher education received compulsory training, 38% had optional training and 51% had no training at all. This follows on from the idea that many think safe security behaviours are inherently present in a generation that stepped into the digital world before they even got to know the real one. We know this is an incorrect way of thinking and Gen Z-ers are telling us the same thing! Whilst older generations receive online safety education through formal means such as work or higher education, younger generations are often missed out with the same level of education.

• Gen Z make digital choices quicker: One key piece of advice we always share as cyber awareness experts is to think before you click, to assess your digital behaviours for any malicious activity. Unfortunately, Gen Z employees are digital natives and are attuned to making digital decisions without the need to assess the situation. EY Consulting reveals that 48% of Gen Z employees are likely to accept all web browser queries, such as cookies, on work-issued devices all the time or often. This is 30% higher than Boomer employees!

• Gen Z-ers are not afraid to visit insecure websites: Whilst Boomers and even, to an extent, Millennials have been trained to acknowledge browser alerts about insecure websites, Security Magazine reveals that Gen Z-ers frequently click past their browser alerting of unsafe websites. Security Magazine goes on to say that this has become “second nature to younger web users” who just want to get to the information they desire as quickly as possible – with no worry about the damage it could have, especially on a work setting where an unsafe website could expose a corporate network to malware or malicious software.

• Gen Z employees do not report cyber breaches: According to The National Cybersecurity Alliance’s (NCSA) Annual Cybersecurity Attitudes and Behaviours Report 2022, 34% of Gen Z-ers have lost their money or data due to harmful cyber activity, such as phishing, with many of them failing to report the incident or even seek out cyber security training after the fact. This may be due to Gen Z employees believing they can deal with the consequences themselves or simply because do not want to admit falling for a digital scam despite being part of a digital savvy generation. The reasoning, of course, is unique to each individual human.

• Gen Z are always online: Cyber criminals are always going to target employees that are frequently online because they have a higher attack potential. A study by Royal Holloway, University of London, reveals that 95% of teens report having a smartphone with 45% reporting that they are online consistently. This makes Gen Z-ers the perfect target for long-term social engineering attacks and just a better bet for cyber criminals in general. Why target boomers with a solitary cyber attack when they rarely check their phones? Instead, target Gen Z-ers who are accessing the internet in ten separate ways in an hour!

How do you reach out to Gen Z employees?

Cyber attacks continue to increase and evolve at a staggering rate with a massive 238% increase in global cyber attacks. Much of this can be levelled at increased cyber crime during and post-pandemic and some can be labelled at national cyber security because of international conflict – however, we must also consider that human cyber security levels have fallen as younger, less-concerned employees enter the workforce.

Generation Z are the future! Soon, Gen Z-ers will account for much of a workforce. For organisations to remain safe and secure when this happens, IT security leaders, CISOs and DPOs need to think about Gen Z security behaviours and what can be done to ensure they follow protocols.

Just as threat actors are on the lookout for emerging and innovative new cyber attacks, cyber security leaders need to sniff out new opportunities and ways to train the next generation. We know their digital upbringing makes them snobbish about online learning, so you must speak their language.

• Make sure your programme is engaging.
• Gamify the training and development so it does not feel like training and development.
• If they are not receptive to individual learning, enquire about team activities or exercises that encourage teamwork and healthy competition.
• Gen Z employees hate environments that replicate the education system – stay away from lectures and laboriously long eLearning as the attention span just is not there.
• The line between their professional and personal cyber security is blurred, so teach them both. If you can successfully change their individual personal security, they will transfer the same skills to a professional setting.

One size most definitely does not fit all anymore in cyber security awareness and training. If we can get ahead of Gen Z-ers and their unsafe security behaviours, we can encourage them to change and build back better ones and stay ahead of the cyber criminals targeting them!

If you would like more information about how The Security Company can  help your organisation and Gen Z employees stay safe and deliver security awareness training and development for you in 2023 or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.