Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National Cybersecurity Alliance (NCSA) found that Gen Zers have higher cyber incident victimization rates than previous generations.

How can those with the most digital experience fall victim to the most scams?

Gen Z was exposed to emerging tech at a young age. The oldest were in elementary school in the early 2000s — a formative time for computers and smart devices. Ninety-nine percent of teachers in 2009 had computer access and 95% had computers with internet, according to the National Center for Education Statistics. Devices became essential to education, especially with the rise of STEM programs across the United States.

Today, devices have a stronghold in and out of the classroom, and Gen Z consistently sets viral trends that ripple across age groups.

As a member of Gen Z, learning that my generation ignores cybersecurity the most was shocking. Why have we not learned from the myriad of scam stories that permeate our history? Was security not a part of our education? We spend enormous amounts of time online, yet many of my Gen Z peers are careless with the security of their data.

Why Is Gen Z So Bad at Security?

The NCSA found that 64% of Gen Zers are always connected. The internet is necessary for work and school. It is also a source of social engagement and a creative outlet. However, though the internet is a constant in our lives, it often drains us of the energy necessary to consider the consequences of lax security.

The National Institute of Standards and Technology (NIST) found that typical computer users suffer from security fatigue. Gen Z likely spends more time online than most, and this may compound security fatigue. It may cause users to let their guard down and provide information without thinking through potential consequences. Gen Zers have the highest victimization rates for phishing, identity theft, and romance scams, according to the NCSA. But security fatigue alone can’t explain such high rates of victimization.

To security professionals, day-to-day measures don’t seem overly difficult. We often see the ramifications of skipping simple security best practices. But not everyone knows what it takes to stay secure, and most Gen Zers find security information frustrating and confusing. The NCSA found that 37% of participants across age groups thought themselves capable of using security measures, yet 40% lacked the motivation to do so. The lack of motivation may stem from both security fatigue and general confusion over what specifically needs to be implemented. This is a serious gap.

Another factor is the lack of basic cybersecurity education in schools. Many STEM programs omit security modules from their curricula. A 2020 study from and EdWeek Research Center found that only 45% of students receive security instruction in schools.

Security fatigue and the lack of cybersecurity education may be part of the reason Gen Z has the highest victimization rates, but as security professionals, we can create a more inclusive and accessible security culture.

Train your team for a cyber incident

How To Create an Inclusive Security Culture

While more needs to be done in schools, employers can also prepare and reinforce the importance of security to young professionals at work. It can’t be expected that everyone has security knowledge, especially those early in their careers. Given the increasing relentlessness and sophistication of cyber threats, it’s certainly important that Gen Z understand how to protect their data, but all generations could benefit from more astute guardianship of online information.

Enact inclusive measures

Keep security education simple. Eliminate jargon from annual modules and explain the value of security best practices. For instance, describe what multi-factor authentication (MFA) is and why it is important, rather than saying, “implement MFA on your devices.” Knowing the impact provides end-users with a more complete understanding and, perhaps, more motivation to use it.

Regular security education should also be available in different formats. Video, audio and written security content enable users to choose the method that best suits them. Adhering to accessibility standards from the U.S. Access Board ensures that all users have an equal opportunity to learn. Gen Z may be the most diverse generation yet, according to Pew, so it is essential that content is suitably tailored.

Educate employees on cybersecurity continuously. Send out a monthly newsletter with online safety tips and tricks. Encourage leaders to discuss security in team-wide or all-hands meetings, and create a space where employees can ask security questions without fear. In short, provide a wide and consistent variety of security training tools to help keep security on the top of everyone’s mind.

Use cutting-edge immersive experiences

Providing the most cutting-edge instruction will engage Gen Zers and provide them with meaningful security best practices for work and home. The threat landscape is more dangerous than it was when Gen Zers were coming of age. Current threats extend beyond traditional scams. They may be lurking in the unsecured WiFi available at a coffee shop. All the threat actor needs is someone desperate for free internet and tired of clicking checkboxes.

With that ever-changing threat landscape in mind, your organization’s security program needs the resilience to adapt. The IBM Security X-Force Cyber Range provides a variety of experiences to prepare organizations for a cyber incident. The team can also cater content to different audiences, such as the C-suite or the board of directors.

Gen Z may not be a part of those groups yet, but the X-Force Cyber Range offers a range of experiences for professionals at all levels. The X-Force Cyber Range team tailors immersive experiences to your organization’s industry and context to provide the most realistic scenario. For example, the Inside the Mind of a Hacker Seminar provides insight into the latest tactics and tools threat actors use. The seminar examines phishing scams, open-source intelligence and the latest hacker technology. The interactive session culminates in the teaching of best practices that can significantly increase cybersecurity both in the office and at home.

Education on how to implement security measures and how threat actors exploit vulnerabilities makes security more tangible. Real-life case studies add to this. The X-Force Cyber Range team pulls in relevant stories to demonstrate how real these threats are.

Next Steps for Gen Z

The key to engaging Gen Z in cybersecurity is to make it meaningful and top of mind. An inclusive security culture will create a more aware employee base and, in turn, lower your organization’s risk in the long run. Take small steps over time to implement these measures so teams aren’t overwhelmed. Be sure to survey employees on their thoughts and incorporate them into your security program. By listening to your employees and tailoring content, your security culture will grow stronger, and you will call Gen Z — and every generation — to action.

Learn how to build and test an effective incident response plan at the IBM Security X-Force Cyber Range here.

Schedule a no-cost consult with X-Force here.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…