Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National Cybersecurity Alliance (NCSA) found that Gen Zers have higher cyber incident victimization rates than previous generations.

How can those with the most digital experience fall victim to the most scams?

Gen Z was exposed to emerging tech at a young age. The oldest were in elementary school in the early 2000s — a formative time for computers and smart devices. Ninety-nine percent of teachers in 2009 had computer access and 95% had computers with internet, according to the National Center for Education Statistics. Devices became essential to education, especially with the rise of STEM programs across the United States.

Today, devices have a stronghold in and out of the classroom, and Gen Z consistently sets viral trends that ripple across age groups.

As a member of Gen Z, learning that my generation ignores cybersecurity the most was shocking. Why have we not learned from the myriad of scam stories that permeate our history? Was security not a part of our education? We spend enormous amounts of time online, yet many of my Gen Z peers are careless with the security of their data.

Why Is Gen Z So Bad at Security?

The NCSA found that 64% of Gen Zers are always connected. The internet is necessary for work and school. It is also a source of social engagement and a creative outlet. However, though the internet is a constant in our lives, it often drains us of the energy necessary to consider the consequences of lax security.

The National Institute of Standards and Technology (NIST) found that typical computer users suffer from security fatigue. Gen Z likely spends more time online than most, and this may compound security fatigue. It may cause users to let their guard down and provide information without thinking through potential consequences. Gen Zers have the highest victimization rates for phishing, identity theft, and romance scams, according to the NCSA. But security fatigue alone can’t explain such high rates of victimization.

To security professionals, day-to-day measures don’t seem overly difficult. We often see the ramifications of skipping simple security best practices. But not everyone knows what it takes to stay secure, and most Gen Zers find security information frustrating and confusing. The NCSA found that 37% of participants across age groups thought themselves capable of using security measures, yet 40% lacked the motivation to do so. The lack of motivation may stem from both security fatigue and general confusion over what specifically needs to be implemented. This is a serious gap.

Another factor is the lack of basic cybersecurity education in schools. Many STEM programs omit security modules from their curricula. A 2020 study from Cyber.org and EdWeek Research Center found that only 45% of students receive security instruction in schools.

Security fatigue and the lack of cybersecurity education may be part of the reason Gen Z has the highest victimization rates, but as security professionals, we can create a more inclusive and accessible security culture.

Train your team for a cyber incident

How To Create an Inclusive Security Culture

While more needs to be done in schools, employers can also prepare and reinforce the importance of security to young professionals at work. It can’t be expected that everyone has security knowledge, especially those early in their careers. Given the increasing relentlessness and sophistication of cyber threats, it’s certainly important that Gen Z understand how to protect their data, but all generations could benefit from more astute guardianship of online information.

Enact inclusive measures

Keep security education simple. Eliminate jargon from annual modules and explain the value of security best practices. For instance, describe what multi-factor authentication (MFA) is and why it is important, rather than saying, “implement MFA on your devices.” Knowing the impact provides end-users with a more complete understanding and, perhaps, more motivation to use it.

Regular security education should also be available in different formats. Video, audio and written security content enable users to choose the method that best suits them. Adhering to accessibility standards from the U.S. Access Board ensures that all users have an equal opportunity to learn. Gen Z may be the most diverse generation yet, according to Pew, so it is essential that content is suitably tailored.

Educate employees on cybersecurity continuously. Send out a monthly newsletter with online safety tips and tricks. Encourage leaders to discuss security in team-wide or all-hands meetings, and create a space where employees can ask security questions without fear. In short, provide a wide and consistent variety of security training tools to help keep security on the top of everyone’s mind.

Use cutting-edge immersive experiences

Providing the most cutting-edge instruction will engage Gen Zers and provide them with meaningful security best practices for work and home. The threat landscape is more dangerous than it was when Gen Zers were coming of age. Current threats extend beyond traditional scams. They may be lurking in the unsecured WiFi available at a coffee shop. All the threat actor needs is someone desperate for free internet and tired of clicking checkboxes.

With that ever-changing threat landscape in mind, your organization’s security program needs the resilience to adapt. The IBM Security X-Force Cyber Range provides a variety of experiences to prepare organizations for a cyber incident. The team can also cater content to different audiences, such as the C-suite or the board of directors.

Gen Z may not be a part of those groups yet, but the X-Force Cyber Range offers a range of experiences for professionals at all levels. The X-Force Cyber Range team tailors immersive experiences to your organization’s industry and context to provide the most realistic scenario. For example, the Inside the Mind of a Hacker Seminar provides insight into the latest tactics and tools threat actors use. The seminar examines phishing scams, open-source intelligence and the latest hacker technology. The interactive session culminates in the teaching of best practices that can significantly increase cybersecurity both in the office and at home.

Education on how to implement security measures and how threat actors exploit vulnerabilities makes security more tangible. Real-life case studies add to this. The X-Force Cyber Range team pulls in relevant stories to demonstrate how real these threats are.

Next Steps for Gen Z

The key to engaging Gen Z in cybersecurity is to make it meaningful and top of mind. An inclusive security culture will create a more aware employee base and, in turn, lower your organization’s risk in the long run. Take small steps over time to implement these measures so teams aren’t overwhelmed. Be sure to survey employees on their thoughts and incorporate them into your security program. By listening to your employees and tailoring content, your security culture will grow stronger, and you will call Gen Z — and every generation — to action.

Learn how to build and test an effective incident response plan at the IBM Security X-Force Cyber Range here.

Schedule a no-cost consult with X-Force here.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…