We have just released an in-depth focus on the preferences of under 30 year olds regarding cybersecurity. Those preferences – identified through our global research - are profoundly different to other generations in the workplace.
Our Meeting the Expectations of a New Generation Report identifies drivers, challenges and concerns of the under 30s in businesses around the world. We also find in which countries and sectors the under 30s show the most good practice.
While millennials care deeply about their productivity, and can be laid back about cybersecurity, what is readily apparent is that they get cybersecurity. In conducting our qualitative research, every one of the under 30s we spoke to was readily able to articulate their views on the subject.
Having different preferences across generations poses challenges for organizations. Treating all employees with the same risk profile, or assuming the same level of skills or attitudes/behavior is too simplistic. As well as increasing organizational risk, adopting a one-size-fits-all culture hurts talent retention.
So what are the key takeaways from our work? There’s more in the report, but here are three to consider:
1. Given that under 30s have spent the highest percentage of their lives in the digital era, you might expect they demonstrate the most cybersecurity good practice. However, this is not the case. Indeed, greater business experience – and the acquisition in more recent times of digital DNA – means that those between the ages of 30 and 60 demonstrate more cybersecurity good practice, on average.
2. Skills really worry the under 30s. We know there’s a skills shortage in cybersecurity, but the younger generation is more acutely aware. As much as 42% of over 30s believe their organizations don’t have adequate skills or resources in-house to cope with the number of security threats. For under 30s, the figure is four percentage points higher. This just plays to the point that cybersecurity is top of mind for the younger demographic.
3. We know some companies pay ransoms to cybercriminals, as they consider the loss of data and time are a worse outcome than paying the ransom. But it’s striking that the propensity to pay is 30% higher among the under 30s. We think this is related to their continued thirst for productivity, and to get back online and operational as soon as possible. Of course, payment of a ransom to a cyber criminal guarantees nothing.
We have been working with Adam Joinson, professor of information systems at the University of Bath, who – writing in the report – is absolutely right to say that it’s not that under 30s don’t care about cybersecurity in the main. It’s more that enterprise cybersecurity often doesn’t meet their expectations.
So, as part of this report, we propose six key actions that can improve your security posture by taking into account the needs of this important age group.
Culture and inclusion is key. Far too many of the individuals we spoke to felt cybersecurity was the responsibility of the IT department, and not themselves. Several under 30s told us quite unassumingly that they felt confident that when cybersecurity incidents occurred, it would be resolved by others.
At NTT, we encourage businesses to focus on speed, execution and teamwork. This might involve setting the expectations of the younger generation early on, conducting simulation exercises involving all company employees in order to test the organization’s cyber resiliency and of course embracing the whole workforce with an inclusive cybersecurity culture.
Cybersecurity threats are becoming more complex but, with the right approach encompassing all generations, organization risk can be reduced.
It’s not that under 30s don’t care about cybersecurity in the main; it’s more that enterprise cybersecurity often doesn’t meet their expectations