Attitudes About Cybersecurity Differ by Generation

December 2, 2019

Businesses must engage all generations and ensure that employees understand that security is everyone’s business, and isn’t just a role for IT.

In today’s multigenerational workforce, professionals over age 30 are more likely to adopt cybersecurity best practices than their younger colleagues who have grown up with technology. This insight comes from research recently conducted by the Security division of NTT Ltd., a global technology services company, regarding generational attitudes toward cybersecurity.

“NTT’s research has uncovered contrasting attitudes and behaviours on cybersecurity from different generations. It’s clear from the research that the workforce has a very different approach and attitude to cybersecurity, depending on age,” says Matt Gyde, CEO, Security, NTT Ltd. “Businesses must transform their approach to security if they are to engage all generations. Most important is ensuring that employees understand that security is everyone’s business, and isn’t simply a role for IT, as has been the case in the past.”

NTT’s report, “Meeting the Expectations of a New Generation,” identifies good and bad cybersecurity practices for organizations surveyed as part of its Risk:Value 2019 report. The data cited in the report were collected through global research commissioned in 2019 involving 2,256 organizations in 17 sectors across 20 countries and conducted by Jigsaw Research.

Among the more than 2,000 professionals surveyed, nearly 700 respondents––all under age 30––worked outside of IT in management and decision-making positions.

Data suggest that those born and raised in the digital age don’t necessarily follow cybersecurity best practices. In fact, employees who have spent more time in the workplace gaining knowledge, skills, and acquired ‘digital DNA,’ tend to have a stronger security posture than younger workers.

Under-30s, on the other hand, are more laid back about cybersecurity responsibilities, the report suggests. They adopt different working styles and prefer to be more productive, flexible, and agile at work using their own tools and devices. Moreover, half of under-30 respondents think that responsibility for cybersecurity rests solely with the IT department. This is 6% higher than respondents in the older-age categories.

Related: HHS’ New Cybersecurity Practices: 5 Things to Know

However, for under-30s, some of the highest rates of cybersecurity best practices occur in the healthcare and pharmaceutical industry.

“Cybersecurity is highly important for the healthcare workforce, primarily due to patient welfare being an essential consideration. Furthermore, there is the need to protect intellectual property related to patient data/records, and pharmaceuticals,” says Matthew Handler, CEO of the Americas for NTT Ltd. “It is demonstrably possible for connected medical equipment to be breached, and for healthcare organizations’ IT to be used as a bridge to breach this equipment. Because the stakes are higher within the healthcare industry, it isn’t surprising that our recent Risk:Value 2 report found higher rates of cybersecurity best practices in this field.”

Healthcare executives should consider cyberattacks a clear and present danger to patient safety. There are recent examples of ransomware attacks that have disrupted medical care in hospital settings, Handler says, so it’s a crucial patient safety issue.

Not all systems in healthcare are based on IP (internet protocol), Handler says. Some use non-standard or operational technology protocols, and these systems are not always updated or patched in a timely fashion. This can lead to vulnerabilities that attackers can exploit. “Of course, IP-based systems in healthcare can be breached as well, and used as a bridge to other connected systems––such as medical equipment,” he says.

Healthcare institutions can minimize their target value to cyberattacks by conducting regular risk assessment exercises and identifying avenues to possible exploitation.

“Because most of today’s cyberattacks target people, not machines, it can be as simple as rigorous email training. The majority of intrusion efforts in the healthcare industry begin with email-based “phishing” attempts,” Handler says. “Routine risk assessments allow healthcare organizations to allocate the right level of investment for protecting their most valuable assets. Because email-based attacks are the most common gateway, healthcare organizations should create people-based training. Define the threats, define the targets, and create training and awareness programs, which address how these cyber threats are carried out. It’s not just about protecting data, but patient safety as well.”

Generational differences in attitudes toward cybersecurity

  • Under-30s are more likely to consider paying a hacker’s ransom demand (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.

  • Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn’t have the right cybersecurity skills and resources in-house. This is 4% higher than for over-30s.

  • The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days––six days less than the time estimated by older age groups (68 days).

  • Younger workers are more accepting of personal devices at work than their older counterparts; 8% fewer consider them a security risk. However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).

  • Eighty-one percent believe cybersecurity should be an item on the boardroom agenda, compared to 85% of over-30s.