A recent study found that Gen Z and millennial employees are less likely to adhere to common workplace cybersecurity practices than their Gen X and baby boomer counterparts.

While a majority (83%) of US employees understand their employer's cybersecurity protocols, Gen Z and millennial workers — digital natives who make up a significant portion of the workforce — are least likely to prioritize or adhere to them, according to new data released by Ernst & Young LLP (EY).

Cyber risk by generation

The 2022 EY Human Risk in Cybersecurity Survey asked 1,000 employed Americans about their cybersecurity awareness and practices. The report identified that 76% of workers across generations consider themselves knowledgeable about cybersecurity, but younger generations ― who grew up online and have lived with cyber risks the majority of their lives ― are significantly more likely to disregard mandatory IT updates for as long as possible (58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers).

What's more, younger generations are more likely to use the same password for a professional account and personal account (30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers). Additionally, younger generations are more likely to accept web browser cookies on their work-issued devices all the time or often (48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers).

"This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual," said Tapan Shah, EY Americas Consulting Cybersecurity Leader. "There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise."

How CISOs can build a proactive cybersecurity culture

Cybersecurity risks are on the rise as remote and hybrid working environments create an expanded attack surface for hackers and more state-backed actors, and human risk in particular is growing as younger generations enter the workforce. Half or fewer of the employees surveyed say they are very confident about how to follow specific cybersecurity practices at work, such as using strong passwords at work (50%); keeping their work devices up to date with cyber protection (43%); identifying phishing attempts (41%); avoiding ransomware (38%); and encrypting their data (32%).

Shah advises leaders to adopt the following guidance to help employees increase their cyber readiness:

  • Use carrots, not sticks. If employees suspect a cybersecurity breach (e.g., a phishing attempt, compromised passwords), the majority said their next step would be to contact their company's IT department (81%) or their immediate supervisor (79%), which are typical company protocols. However, 16% would try to handle the situation themselves. A positive, human-centric security culture rewards cyber-safe practices and uses mistakes as teaching moments.
  • Provide personalized cybersecurity education. There needs to be a focus on educating the workforce about how to live and operate safely in a digital world. Educate employees about more than security at work. Teach them safe cybersecurity practices for their personal lives and their families. Teach the role-based risks and the consequences, and then give simple, immediately actionable guidance.
  • Understand and interrupt human behaviors. Understand employees' workflows, identify the moments of highest human risk, and then create interruption points or behavior prompts. The goal of a behavior prompt or technical control interruption is to focus on an individual's actions to follow the proper procedure to minimize risk.

For more on insights on cybersecurity culture, click here.