Gen Z, Millennial workers are biggest workplace cybersecurity risks

New research conducted by Ernst & Young finds that a majority of US employees (83%) understand their employer’s cybersecurity mandates, but Gen Z and millennial workers are least likely to prioritize or adhere to them. Almost half of Gen Z (48%) and about two-thirds of millennial (39%) employees admit to taking cybersecurity precautions on their own personal devices more seriously than on company-owned devices.

The research continues the cement the narrative that digital natives—those who grew up with online access and exposure to cyber risk the majority of their lives—are a larger risk on corporate networks than older generations, such as Gen X and “Baby Boomers.”

For example, the survey found that mandatory IT updates to corporate-owned assets were the least adhered to with Gen Z. Gen Z admits to delaying the updates as long as possible at 58%, with millennials at 42%, 31% for Gen X and 15% for baby boomers.

16% of respondents would try to handle a cybersecurity incident themselves

EY cybersecurity survey

Even re-used passwords, which many would assume older generations to be guilty of the most, was in fact reversed. Gen Z admitted to reusing passwords for personal and professional accounts 30% of the time, and 31% for millennials. Meanwhile, Gen X reused passwords only 22% of the time, and baby boomers at 15%.

“This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual,” said Tapan Shah, EY Americas Consulting Cybersecurity Leader.

“There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise,” continued Shah.

Interestingly, the survey found that 84% of respondents feel “prepared” to avoid cybersecurity mistakes at work, but only 35% feel “very prepared.”

Less than a third of respondents (32%) felt prepared and capable of encrypting their data.

And in the event of cybersecurity incident, 81% would contact their IT department. But alarmingly, 16% admits they would try to handle the incident themselves.

It’s clear despite how much progress we have made in the cybersecurity industry for awareness and training, more work is necessary to mitigate and reduce risk.