Growing up with Technology doesn’t make you more cyber-secure, says NTT report

• Younger workers more likely to pay a ransom demand to a hacker than over-30s. Under-30s also troubled by lack of the right security skills in their organization

In today’s multi generational workforce, the over-30s are more likely to adopt cybersecurity good practice than their younger colleagues who have grown up with digital technology. This is according to a report on generational attitudes to cybersecurity from the Security division of NTT Ltd. a leading global technology services company.

NTT’s report identified good and bad practice for organizations researched as part of its Risk : Value 2019 report, scored across 17 key criteria. This revealed that under-30s score 2.3 in terms of cybersecurity best practice, compared to 2.9 for 30-45 year-olds and 3.0 for 46-60 year-olds.

The data suggests that a person born in the digital age wouldn’t necessarily follow cybersecurity best practice. In fact, employees who have spent longer in the workplace gaining knowledge and skills and acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.

Under-30s, who are born into the digital age, on the other hand, are more laid back about cybersecurity responsibilities. They adopt different working practices and expect to be productive, flexible and agile at work using their own tools and devices. However, half of respondents think that responsibility for cybersecurity rests solely with the IT department. This is 6% higher than respondents in the older age categories.

Top generational differences in attitudes to cybersecurity :

  • Under-30s are more likely to consider paying a ransom demand to a hacker (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.
  • Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn’t have the right cybersecurity skills and resources in-house. This is 4% higher than for over-30s.
  • The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days – six days less than the time estimated by older age groups (68 days).
  • Younger workers are more accepting of personal devices at work and consider them less of a security risk (71%) than older workers (79%). However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).
  • 81% believe cybersecurity should be an item on the boardroom agenda, compared to 85% of over-30s.

Key regional differences

Under-30s in Brazil and France emerge as cybersecurity leaders in their countries; the result of the French government’s cybersecurity agency’s specific focus four years ago to raise awareness of cybersecurity issues among children and students. In Brazil, digital infrastructure was rolled out later than in North America, Europe and Asia Pacific, meaning that middle-aged employees have had less exposure to digital. In the Nordics, USA, Hong Kong and the UK – all digitally advanced countries – older employees have plenty of ‘digital DNA’, but these countries must ensure that under-30s continue to learn and embrace cybersecurity skills and behaviours.

Adam Joinson, Professor of Information Systems, University of Bath, an expert on the intersection between technology and behaviour, comments: “There is no ‘one size fits all’ approach to cybersecurity. The insights from the NTT study demonstrate that treating all employees as posing the same risk, or having the same skills, is problematic for organizations. We do need to be careful not to assume that the under-30s simply don’t care so much about cybersecurity. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.

“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”

Matt Gyde, CEO, Security, NTT Ltd., adds : “NTT’s research has uncovered contrasting attitudes and behaviours on cybersecurity from different generations. It’s clear from the research that the workforce has a very different approach and attitude to cybersecurity, depending on age. Businesses must transform their approach to security if they are to engage all generations. Most important is ensuring that employees understand that security is everyone’s business, and isn’t simply a role for IT, as has been the case in the past. Different generations use technology in very different ways and business leaders need to recognise that strong cybersecurity practices for all generations within the business is an enabler and not a barrier. Security leaders should make themselves more approachable and talk the language of business, not IT. Education is also fundamental to change in cybersecurity behaviour, so make the learning process interesting and relevant to all generations in the workforce.”

Cybersecurity best practice in a multi generational workforce:

  1. Security culture must include all generations and be supported by a diverse range of employee champions, which includes age.
  2. Build a panel of younger employees and listen to their views on cybersecurity.
  3. Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business.
  4. Make cybersecurity everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events.
  5. Where skills shortages are most acute, support learning programmes, mentoring and consider external support.
  6. Education is vital. Gamify security learning and make it fun for all.