Gen Z and millennials less serious about cybersecurity on work-issued devices than personal

• Roughly half of Gen Z (48%) and about one-third of millennial employees (39%) admit to taking cybersecurity protection on their personal devices more seriously than on their work devices, potentially putting companies at risk.
• Gen Z and millennial workers are significantly more likely than older generations to use the same password for both a professional account and personal account and to disregard mandatory IT updates.

A majority (83%) of US employees understand their employer’s cybersecurity protocols, but Gen Z and millennial workers – digital natives who make up a significant portion of the workforce – are least likely to prioritize or adhere to them, according to new data released by Ernst & Young LLP (EY US).

The 2022 EY Human Risk in Cybersecurity Survey asked 1,000 employed Americans about their cybersecurity awareness and practices. Below are the findings:

• Three-quarters (76%) of workers across generations consider themselves knowledgeable about cybersecurity, but younger generations― who grew up online and have lived with cyber risks the majority of their lives― are significantly more likely to disregard mandatory IT updates for as long as possible (58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers);
• Younger generations are more likely to use the same password for a professional account and personal account (30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers);
• Finally, younger generations are more likely to accept web browser cookies on their work-issued devices all the time or often (48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers).

“This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual,” said Tapan Shah, EY Americas Consulting Cybersecurity Leader. “There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise.”

Looking ahead: building a proactive cybersecurity culture

Cybersecurity risks are on the rise as remote and hybrid working environments create an expanded attack surface for hackers and more state-backed actors, and human risk in particular is growing as younger digital natives, who spent most of their lives embracing technology, enter the workforce. US cyber incidents led to at least $7 billion in potential losses in 2021 alone, according to the Federal Bureau of Investigation.

Most of the employee respondents (84%) feel prepared to avoid cybersecurity mistakes at work, but only one-third (35%) feel very prepared. In fact, half or fewer of the employees say they are very confident about how to follow specific cybersecurity practices at work, such as using strong passwords at work (50%); keeping their work devices up to date with cyber protection (43%); identifying phishing attempts (41%); avoiding ransomware (38%); and encrypting their data (32%).

Role- and risk-based education can help improve cyber-safe practices.

Respondents who received role-relevant cybersecurity training in the past year were significantly more likely to implement cyber-safe practices at work – including using strong passwords, keeping cyber protection software current on devices, identifying phishing attempts, avoiding ransomware and encrypting data – than employees who had not had any education for more than a year.

“Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk,” Shah said. “Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives.”

Shah advises leaders to adopt the following guidance to help employees #BeCyberSmart:

• Use carrots, not sticks. If employees suspect a cybersecurity breach (e.g., a phishing attempt, compromised passwords), the majority said their next step would be to contact their company’s IT department (81%) or their immediate supervisor (79%), which are typical company protocols. But one in six (16%)  would try to handle the situation themselves, which represents millions of workers in the US. A positive, human-centric security culture rewards cyber-safe practices and uses mistakes as teaching moments.
  
• Provide cybersecurity education and make it personal. There needs to be a focus on educating the workforce about how to live and operate safely in a digital world. Educate employees about more than security at work. Teach them safe cybersecurity practices for their personal lives and their families. Teach the role-based risks and the consequences, and then give simple, immediately actionable guidance. 
  
• Understand and interrupt human behaviors. Understand employees’ workflows, identify the moments of highest human risk, and then create interruption points or behavior prompts. The goal of a behavior prompt or technical control interruption is to focus on an individual’s actions to follow the proper procedure to minimize risk.

For more on insights on cybersecurity culture, visit ey.com/en_us/ciso.

2022 EY Human Risk in Cybersecurity Survey methodology

EY US Consulting commissioned a third-party vendor to conduct the inaugural 2022 EY Human Risk in Cybersecurity Survey. The sample of 1,000 full- and part-time US employees ages 18+ whose current job requires the use of a work-issued laptop/computer (i.e., a tech-enabled professional) a majority of the time was completed between August 20 and August 29, 2022. The sample was balanced across age, gender, household income, race/ethnicity and region, and the margin of error (MOE) for the total sample is +/- 3 percentage points.

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data, and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.