Generation Gap: Does Your Security Awareness Program Bridge the Divide?
Does your security awareness training program consider the age of the trainees? As more millennials join the workforce, they are approaching security and privacy differently than their older colleagues. This generation grew up with technology and has a contrasting view of what is acceptable to share and risk.
This disconnect can be challenging for employers when it comes to ensuring younger employees adhere to corporate security and privacy policies.
“Millennials are digitally native — they have always known cell phones and the internet in their lives,” said Ted Harrington, a security consultant with Independent Security Evaluators. “Because their ease of use of technology is strong, trust is high among millennials.”
Are Baby Boomers More Secure Than Millennials?
IBM Security’s January 2018 Future of Identity Study found that only 42 percent of millennials use complex passwords combining random capitalizations, numbers and symbols — but this figure increased to 49 percent for people over age 55. Millennials (41 percent) are also much more likely to use the same password across multiple sites or applications compared with people over age 55 (31 percent).
The IBM Security study also revealed that millennials value convenience over security at a much higher rate than baby boomers. Nearly half (47 percent) of those under age 24 said they’d use a less secure method of authentication to save just a few seconds of time. Compare this to just 16 percent of respondents over age 55 who would do the same.
A 2017 survey from financial services company First Data on generational attitudes about security backs up the notion that millennials are slightly less security-focused than their older colleagues.
The First Data survey revealed:
- Seventy-two percent of baby boomers said they rarely store enterprise data on their personal devices, compared to 69 percent of millennials.
- Eighty-six percent of baby boomers rarely download free software to their work devices without consulting IT, compared to 75 percent of millennials.
- Thirty-four percent of baby boomers said they always consider whether their online actions pose a risk to the enterprise, compared to only 21 percent of millennials.
- Eighty-two percent of millennials reuse passwords on websites and apps, and 42 percent will only change their passwords when forced to do so. But 70 percent of baby boomers reuse passwords on websites and apps, and 32 percent change their password only when prompted.
Boomers Still Have Security Challenges
While these two data sets show that baby boomers have some bragging rights over millennials when it comes to security awareness, that doesn’t mean their behavior is free of risk. According to Harrington, boomers are more susceptible to other kinds of attacks.
“Each of those two groups would be targeted in different ways because of their relationship with technology,” Harrington said.
So, how can companies tailor their security awareness training based on these generational attitudes?
Harrington explained that while awareness programs should be largely age-agnostic, there are some generational distinctions for security managers to consider when trying to reach employees of different age groups.
Addressing Generational Awareness Gaps
Because they were raised around technology and the internet, Harrington noted that millennials are more likely to trust online services and applications, such as electronic signatures and cloud storage, to securely house their data.
“Millennials have a lower inhibition interacting with web forms,” Harrington said.
According to Forbes, millennials are more “aware of the most significant vulnerabilities a company is likely to face and will trust experts in other fields to handle that security.” That means awareness training needs to be geared toward millennials with online and digital mediums in mind.
Boomers, by contrast, sometimes need a different touch when it comes to awareness training due to their relative lack of familiarity with technology.
“Boomers are more skeptical online,” Harrington said. “They’re more hesitant to overshare information with systems, and that is a good thing.”
Despite their hesitation, boomers may be more vulnerable to older cons like phone scams. According to Harrington, senior users might be more prone to the age-old help desk ruse because they are more comfortable sharing information over the phone.
“If they were to receive a phone call, they may be more readily susceptible to a social engineering attack,” Harrington said.
Security Awareness Is Not One-Size-Fits-All
It’s important to remember that not every baby boomer or millennial fits these molds. People are individuals — and their age is only one factor influencing their attitudes about security.
No matter the age of the trainee, the goal of security awareness training should be to increase users’ level of maturity when it comes to online hygiene. This includes a thorough understanding of the company’s assets; the adversaries and their motives; and the attack surface.