Just because Millennials and Generation Z workers were born in the digital age does not necessarily mean they follow cyber security best practice. This is the message from NTT, whose recent study shows that employees over the age of 30 are on the whole more likely to adopt best practice in cyber security than their younger colleagues are. This is despite the findings that the younger group is the most anxious about the risk and their employer’s ability to tackle the threat.

The study, conducted this year amongst 2,256 organisations, shows that while people over 30 tended to demonstrate better cyber security behaviour in the UK, US, Nordics and Hong Kong, the opposite was generally found to be true for that age group in France and Brazil.


UK highlights

Over half of the younger respondents in the UK said they would consider paying a ransom demand to a hacker, compared with just 26% of over-30s. Over half of under-30s believe their company does not have adequate skills and resources in-house to cope with the number of security threats. This compares with a quarter of over-30s, and may be the result of growing up in a technology skills crisis. Under-30s guess that on average it would take 97 days to recover from a cyber security breach – six days more than the time estimated by older respondents.

NTT’s vice-president of consulting, Azeem Aleem says it is clear that a multi-generational workforce leads to very different attitudes to cyber security. “This is a challenge when organisations need to engage across all age groups, from the oldest employee to the youngest. With technology constantly evolving and workers wanting to bring in and use their own devices, apps and tools, business leaders must ensure that security is an enabler and not a barrier to a productive workplace.

“Our advice for managing security within a multi-generational workforce is to set expectations with young people and make security awareness training mandatory. Then execute this training to test your defences with all company employees involved in simulation exercises. Finally, team work is key. The corporate security team is not one person, but the whole company, so cultural change is important to get right.”

Expert on the intersection between technology and behaviour and Professor of Information Systems at the University of Bath, Adam Joinson says that treating all employees as posing the same risk, or having the same skills, is a risky approach.

“We do need to be careful not to assume that the under-30s simply don’t care so much about cyber security. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.

“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”

As with all such studies, these numbers represent trends; there will always be exceptions.


Top tips for multi-generational cyber security best practice (Source: NTT)

1. Security culture must include all generations and be supported by a diverse range of employee champions, which includes age.

2. Build a panel of younger employees and listen to their views on cyber security.

3. Younger employees can be at their best and most motivated in a productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business.

4. Make cyber security everyone’s business. Security leaders should be approachable to employees.

5. Where skills shortages are most acute, support learning programmes, mentoring and consider external support.

6. Education is vital.

Share Story: