Younger Workers Lax when it Comes to Cybersecurity, Survey Finds

During the 1964 Free Speech Movement at the University of California, Berkeley, activist Jack Weinberg said: “Don’t trust anyone over 30.” Well, when it comes to cybersecurity, it may be more accurate to say Don’t trust anyone under 30.

That is, if a new survey from international IT services provider NTT is to be taken seriously. According to the survey that served as the basis of its Risk:Value 2019 report, working professionals over the age of 30 are more likely to embrace good security hygiene than their younger associates.

Based on the respondents, those under 30 scored lower, relatively, when it came to performing cybersecurity best practices than those aged 30 to 45 and those aged 46 to 60. "This data suggests that those born and raised in the digital age don't necessarily follow cybersecurity best practices. Employees who have spent more time in the workplace gaining knowledge, skills, and acquired 'digital DNA,' tend to have a stronger security posture than younger workers,” NTT said in a statement.

"Under-30s, on the other hand, are more laid back about cybersecurity responsibilities. They adopt different working styles and prefer to be more productive, flexible, and agile at work using their tools and devices. Moreover, half of the under-30 respondents think that responsibility for cybersecurity rests solely with the IT department. This is 6% higher than respondents in the older age categories," the statement continued.

Other generational differences found in the report include in attitudes toward cybersecurity:

• Under-30s are more likely to consider paying a hacker’s ransom demand (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.
• Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn't have the right cybersecurity skills and resources in-house. This is 4% higher than for the over-30s.
• The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days – six days less than the time estimated by older age groups (68 days).
• Younger workers are more accepting of personal devices at work than their older counterparts; 8% fewer consider them a security risk. However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).
• Eighty-one percent believe cybersecurity should be an item on the boardroom agenda, compared to 85% of the over-30s.

The survey also found that while enterprises want to do a better job protecting their data and systems, they see themselves as falling behind the criminals. NTT believes that there are several things at play here, including the lack of sufficient security policies, incident response plans, and commonly poor communication of security issues.

The survey also found that security budgets are not rising at the pace needed to keep up with increasingly tightly-resourced security teams. “Amid confusion around responsibility, many senior managers think that cybersecurity is just a problem for the IT department,” the report states.

Surprisingly, there is a large percentage of companies, 42%, that don't currently have a formal security policy. And of those that do have an official security policy, only 48% of those said that their employees were completely aware of the policy. That means less than one-third of responding companies have a security policy that is widely understood in their organization. 

If a few companies have adequate security policies, it probably won't come as a surprise that few companies have effective security incident response plans in place. "Only 52 percent of companies said that they had such a plan. This is an increase of 3 percent from 2018, but only 57 percent of companies that had a policy fully knew what was in it. If a data breach hit, those companies lacking awareness of a solid plan would find themselves in disarray,” the report stated.

The vast majority of respondents agreed that a strong cybersecurity posture would provide value to their organization, primarily when it came to data integrity at 52% and reasonable access control at 47%. Nearly half, or 46%, believed that good cybersecurity could help protect the reputation of their brand.

Interestingly, the vast majority of respondents at 88% view cybersecurity as something that can broadly benefit society. And perhaps that’s one of the keys to getting more of the younger staffers to take cybersecurity more seriously: show them how good security hygiene on their part can not only help secure their organization but also the security and privacy of customers, suppliers, and partners.