Does your security awareness training program consider the age of the trainees? As more millennials join the workforce, they are approaching security and privacy differently than their older colleagues. This generation grew up with technology and has a contrasting view of what is acceptable to share and risk.

This disconnect can be challenging for employers when it comes to ensuring younger employees adhere to corporate security and privacy policies.

“Millennials are digitally native — they have always known cell phones and the internet in their lives,” said Ted Harrington, a security consultant with Independent Security Evaluators. “Because their ease of use of technology is strong, trust is high among millennials.”

Are Baby Boomers More Secure Than Millennials?

IBM Security’s January 2018 Future of Identity Study found that only 42 percent of millennials use complex passwords combining random capitalizations, numbers and symbols — but this figure increased to 49 percent for people over age 55. Millennials (41 percent) are also much more likely to use the same password across multiple sites or applications compared with people over age 55 (31 percent).

The IBM Security study also revealed that millennials value convenience over security at a much higher rate than baby boomers. Nearly half (47 percent) of those under age 24 said they’d use a less secure method of authentication to save just a few seconds of time. Compare this to just 16 percent of respondents over age 55 who would do the same.

A 2017 survey from financial services company First Data on generational attitudes about security backs up the notion that millennials are slightly less security-focused than their older colleagues.

The First Data survey revealed:

  • Seventy-two percent of baby boomers said they rarely store enterprise data on their personal devices, compared to 69 percent of millennials.
  • Eighty-six percent of baby boomers rarely download free software to their work devices without consulting IT, compared to 75 percent of millennials.
  • Thirty-four percent of baby boomers said they always consider whether their online actions pose a risk to the enterprise, compared to only 21 percent of millennials.
  • Eighty-two percent of millennials reuse passwords on websites and apps, and 42 percent will only change their passwords when forced to do so. But 70 percent of baby boomers reuse passwords on websites and apps, and 32 percent change their password only when prompted.

Boomers Still Have Security Challenges

While these two data sets show that baby boomers have some bragging rights over millennials when it comes to security awareness, that doesn’t mean their behavior is free of risk. According to Harrington, boomers are more susceptible to other kinds of attacks.

“Each of those two groups would be targeted in different ways because of their relationship with technology,” Harrington said.

So, how can companies tailor their security awareness training based on these generational attitudes?

Harrington explained that while awareness programs should be largely age-agnostic, there are some generational distinctions for security managers to consider when trying to reach employees of different age groups.

Listen to the podcast: Millennials, Baby Boomers and the Future of Identity

Addressing Generational Awareness Gaps

Because they were raised around technology and the internet, Harrington noted that millennials are more likely to trust online services and applications, such as electronic signatures and cloud storage, to securely house their data.

“Millennials have a lower inhibition interacting with web forms,” Harrington said.

According to Forbes, millennials are more “aware of the most significant vulnerabilities a company is likely to face and will trust experts in other fields to handle that security.” That means awareness training needs to be geared toward millennials with online and digital mediums in mind.

Boomers, by contrast, sometimes need a different touch when it comes to awareness training due to their relative lack of familiarity with technology.

“Boomers are more skeptical online,” Harrington said. “They’re more hesitant to overshare information with systems, and that is a good thing.”

Despite their hesitation, boomers may be more vulnerable to older cons like phone scams. According to Harrington, senior users might be more prone to the age-old help desk ruse because they are more comfortable sharing information over the phone.

“If they were to receive a phone call, they may be more readily susceptible to a social engineering attack,” Harrington said.

Security Awareness Is Not One-Size-Fits-All

It’s important to remember that not every baby boomer or millennial fits these molds. People are individuals — and their age is only one factor influencing their attitudes about security.

No matter the age of the trainee, the goal of security awareness training should be to increase users’ level of maturity when it comes to online hygiene. This includes a thorough understanding of the company’s assets; the adversaries and their motives; and the attack surface.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read