Cybersecurity age gap revealed as over-30s adopt better behaviour than younger workers, reveals NTT report
According to a new report on behaviour and attitudes to cybersecurity among different age groups, employees over the age of 30 are more likely to adopt cybersecurity best practice than younger colleagues who have grown up around digital technology. The report – ‘Meeting the expectations of a new generation. How the under 30s expect new approaches to cybersecurity’ - also indicates that the younger generation is more anxious about cybersecurity and their company’s ability to tackle the number of security threats.
Launched by the Security division of NTT Ltd., a leading global technology services company, the report reveals that while the over-30s demonstrate better cybersecurity behaviour in the UK, US, Nordics and Hong Kong, it is under-30s who are cybersecurity leaders in France and Brazil.
NTT’s report identified good and bad practice for global organisations researched as part of its Risk:Value 2019 report, scored across 17 key criteria. It reveals that, on average, under-30s score 2.3 in terms of cybersecurity best practice, compared to 3.0 for over-30s. In the UK, under-30s (4.3) and over-30s (5.5) are among the highest scores globally.
The data suggests that just because Millennials and Generation Z workers are born in the digital age, it does not necessarily mean they follow cybersecurity best practice. In fact, employees who have spent longer in the workplace gaining knowledge and skills and have acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.
Overall, under-30s expect to be productive, flexible and agile at work using their own tools and devices, but half of respondents think responsibility for security rests solely with the IT department. This is 6% higher than respondents in the older age categories.
UK highlights: Generational attitudes to cybersecurity:
- Younger workers are risk takers, with over half (52%) saying they would consider paying a ransom demand to a hacker, compared to just 26% of over-30s
- Over half (58%) of under-30s believe their company does not have adequate skills and resources in-house to cope with the number of security threats. This compares to quarter (26%) of over-30s, and may be the result of growing up in a technology skills crisis
- Under-30s estimate that it would take around three months (97 days) to recover from a cybersecurity breach – six days more than the time estimated by older respondents
- 82% believe that cybersecurity should be a regular item on the boardroom agenda, compared to 90% of over-30s
- More accepting of new tools and devices at work, younger workers consider the Internet of Things (IoT) as more of a security risk (69%) than older colleagues (65%).
Azeem Aleem, VP Consulting (UK&I) Security, NTT, comments: “It’s clear from our research that a multi-generational workforce leads to very different attitudes to cybersecurity. This is a challenge when organisations need to engage across all age groups, from the oldest employee to the youngest. With technology constantly evolving and workers wanting to bring in and use their own devices, apps and tools, business leaders must ensure that security is an enabler and not a barrier to a productive workplace.
“Our advice for managing security within a multi-generational workforce is to set expectations with young people and make security awareness training mandatory. Then execute this training to test your defences with all company employees involved in simulation exercises. Finally, team work is key. The corporate security team is not one person, but the whole company, so cultural change is important to get right.”
Adam Joinson, Professor of Information Systems, University of Bath, an expert on the intersection between technology and behaviour, adds: “There is no ‘one size fits all’ approach to cybersecurity. The insights from the NTT study demonstrate that treating all employees as posing the same risk, or having the same skills, is problematic for organisations. We do need to be careful not to assume that the under-30s simply don’t care so much about cybersecurity. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.
“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”
NTT’s six cybersecurity best practice tips for a multi-generational workforce:
- Security culture must include all generations and be supported by a diverse range of employee champions, which includes age
- Build a panel of younger employees and listen to their views on cybersecurity
- Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business
- Make cybersecurity everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events
- Where skills shortages are most acute, support learning programmes, mentoring and consider external support.
- Education is vital. Gamify security learning and make it fun for all
More information on the NTT Report: ‘Meeting the expectations of a new generation. How the under 30s expect new approaches to cybersecurity’ is available at: https://hello.global.ntt/en-us/insights
Notes for Editors:
Methodology
The NTT data cited in this report was collected through global research commissioned in 2019 involving 2,256 organisations in 17 sectors across 20 countries and conducted by Jigsaw Research. Respondents were senior decision-makers outside of the IT department, with 20% holding a C-level position. Overall results were published in the Risk:Value 2019 Report and related content. From the responses to the research, NTT identified good practice and bad practice in cybersecurity, with each business being accordingly given a score of between -41 and +27. The average organisation scored +3. NTT then considered the score of the organisation by age of respondent.
About Professor Adam Joinson
Professor Adam Joinson is Professor of Information Systems at the University of Bath. He has worked closely with a range of large organisations on security culture and behaviour, as well as contributing to guidance from CPNI, NCSC and ENISA. He is the University of Bath lead for a new Centre for Doctoral Training in cybersecurity (with the University of Bristol), and leads the ‘online behaviour’ strand in the Centre for Research and Evidence on Security Threats (www.crestreseach.ac.uk), the national hub for applying behavioural and social science to security. He has published over 100 articles, chapters and books on technology, behaviour, cybersecurity and privacy.
About Security and NTT Ltd.
Security is a division of NTT Ltd., a global technology services company bringing together the expertise of leaders in the field, including NTT Communications, Dimension Data, and NTT Security. The Security division helps clients create a digital business that is secure by design. With unsurpassed threat intelligence, we help you to predict, detect, and respond to cyberthreats, while supporting business innovation and managing risk. Security has 10 SOCs, seven R&D centers, over 2,000 security experts and handles hundreds of thousands of security incidents annually across six continents. Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology.
NTT Ltd. partners with organizations around the world to shape and achieve outcomes through intelligent technology solutions. For us, intelligent means data driven, connected, digital, and secure. As a global ICT provider, we employ more than 40,000 people in a diverse and dynamic workplace, and deliver services in over 200 countries and regions. Together we enable the connected future. Visit us at our new website hello.global.ntt
Media contact;
For more information, images or a copy of the report, please contact:
Amanda Hassall, Consultant, Origin Comms
amanda@origincomms.com
T: 01628 822741
M: 07855359889