Cyber security age-gap research shows importance of considering generational differences in strategies
- Published: Tuesday, 22 October 2019 08:00
According to a new report on behaviour and attitudes to cyber security among different age groups, employees over the age of 30 are more likely to adopt cyber security best practice than younger colleagues who have grown up around digital technology. The report also indicates that the younger generation is more anxious about cyber security and their company’s ability to tackle the number of security threats.
Launched by the Security division of NTT Ltd, the report reveals that while the over-30s demonstrate better cyber security behaviour in the UK, US, Nordics and Hong Kong, it is under-30s who are cyber security leaders in France and Brazil.
NTT’s report identified good and bad practice for global organizations researched as part of its Risk:Value 2019 report, scored across 17 key criteria. It reveals that, on average, under-30s score 2.3 in terms of cyber security best practice, compared to 3.0 for over-30s. In the UK, under-30s (4.3) and over-30s (5.5) are among the highest scores globally.
The data suggests that just because Millennials and Generation Z workers are born in the digital age, it does not necessarily mean they follow cyber security best practice. In fact, employees who have spent longer in the workplace gaining knowledge and skills and have acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.
Overall, the under-30s expect to be productive, flexible and agile at work using their own tools and devices, but half of respondents think responsibility for security rests solely with the IT department. This is 6 percent higher than respondents in the older age categories.
Azeem Aleem, VP Consulting (UK&I) Security, NTT, comments: “It’s clear from our research that a multi-generational workforce leads to very different attitudes to cyber security. This is a challenge when organizations need to engage across all age groups, from the oldest employee to the youngest. With technology constantly evolving and workers wanting to bring in and use their own devices, apps and tools, business leaders must ensure that security is an enabler and not a barrier to a productive workplace.
“Our advice for managing security within a multi-generational workforce is to set expectations with young people and make security awareness training mandatory. Then execute this training to test your defences with all company employees involved in simulation exercises. Finally, team work is key. The corporate security team is not one person, but the whole company, so cultural change is important to get right.”
Adam Joinson, Professor of Information Systems, University of Bath, an expert on the intersection between technology and behaviour, adds: “There is no ‘one size fits all’ approach to cyber security. The insights from the NTT study demonstrate that treating all employees as posing the same risk, or having the same skills, is problematic for organizations. We do need to be careful not to assume that the under-30s simply don’t care so much about cyber security. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.
“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”
NTT’s six cyber security best practice tips for a multi-generational workforce are:
- Security culture must include all generations and be supported by a diverse range of employee champions, which includes age.
- Build a panel of younger employees and listen to their views on cyber security.
- Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business.
- Make cyber security everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events.
- Where skills shortages are most acute, support learning programmes, mentoring and consider external support.
- Education is vital. Gamify security learning and make it fun for all.