Azeem Aleem, Vice President Cybersecurity Consulting, NTT Ltd, discusses how a new generation of employees is bringing new attitudes towards being cyber secure
There are many benefits to having a multi-generational workforce. Organisations can build teams that bring together individuals with wide-ranging experience, perspectives and skillsets; this has been shown to improve decision-making, innovation and problem-solving. However, this same diversity also leads to increased cyber security risk.
Managing cyber risk involves developing effective security strategies and plans, creating a culture of security, and enforcing data protection policies. All of these things become more complex in a working environment that encompasses so much variation in how employees see the workplace – and, indeed, the world as a whole.
Recent research from NTT Ltd. into the attitudes and behaviours around cyber security among different age groups highlights profound differences. As may be expected, there are variations in areas such as how they use technology, and the ways they prefer to work. However, some of the results were surprising.
The cyber enlightenment paradox
It is easy to assume that millennials, who have grown up using digital technology, would demonstrate more cyber security good practice than their older counterparts. However, while they do ‘get’ cyber security, it’s 30-60-year-olds that are most likely to exhibit best practice. This is probably because they’ve spent longer in the workplace acquiring awareness, knowledge and skills.
In terms of attitudes, it’s flexibility, productivity and speed that are top of mind with under-30s, and they expect systems to work for them. They want to be proactive, and to be able to use their own tools to get their work done effectively. If their needs are thwarted, this can lead to risky decisions and shortcuts.
Younger employees are also more laid back about their cyber security responsibilities. While half of all survey respondents said they believed the responsibility for security sits solely with the IT department, this was 6% higher among under-30s. They are more accepting of using personal devices at work, and consider them less of a security risk than older workers.
Younger individuals are more likely to consider paying a ransom demand to a hacker (39%) than over-30s (30%). This is probably due to their eagerness to get things back up and running so they can continue working. Of course, payment to a hacker guarantees nothing.
They also have a more positive – or perhaps naïve – mindset around the incident response, believing that their organisations would recover from a security breach six days more quickly than the recovery time estimated by their older colleagues.
The drive to ‘get stuff done’
We do need to be careful not to assume that the under-30s simply don’t care so much about cyber security. In fact, they’re more concerned than their older counterparts about some aspects, including the potential threat that the Internet of Things (IoT) presents to their organisation, and the technology skills shortage: 46% say their organisations don’t have adequate skills and resources to cope with cyber security threats, 4% higher than for over-30s.
While there are doubtless pockets of apathy within every organisation, it’s more likely that younger workers’ attitudes are due to the failure of corporate security policies and practices to meet their needs. They won’t tolerate having their productivity and agility derailed, and frustration with this will lead to a quest for ways to do things more efficiently.
No ‘one size fits all’ approach
Managing cyber security within a multi-generational workforce requires the buy-in of all employees to the desired actions and behaviours. Treating the entire workforce with a broad-brush approach is not the answer.
Understanding the diversity within the business, and the key differences that exist between age groups, will prove beneficial. However, attempting to create tailored cybersecurity plans for separate groups will only add complexity and create silos.
The best approach is to develop strong fundamental cyber security practices for all generations within the business, which act as an enabler rather than blocking them from achieving their tasks. This is particularly important if the business is to meet the expectations of younger workers, and fully harness their creativity and energy.
Make security everybody’s business
All employees must understand that cyber security is part and parcel of their role, not just a job for IT. A common foundation of education and awareness training at every level in the business plays a vital part in changing cyber security behaviour. The learning process can be made interesting and relevant to employees of all ages through gamification, and regularly conducting simulation and tabletop exercises that bring the principles to life.
Review policies, procedures and processes
Creating an inclusive cyber security culture in which everyone can thrive and be productive will require security practitioners to redesign security plans and practices, to improve the fit between protecting data and systems and the tasks employees have to undertake.
Designate a diverse range of employee cyber security champions
This will help to spread the message across generations. Security leaders should also be approachable to employees, through one-to-one interaction and more formal company events, and must be able to talk the language of business, not technology.
Appoint a panel of younger employees
Listening to their views and needs around cyber security will help the business stay abreast of what they want from the workplace and the concerns they have.
Cyber security is at its core a people science, and a business issue. Implementing a successful organisation-wide cyber security approach will address the ‘people risk’ in a way that gets the best from the entire workforce.