22 October 2019
Growing up with technology doesn’t make you more cyber-secure, says NTT report
Younger workers more likely to pay a ransom demand to a hacker than over-30s. Under-30s also troubled by lack of the right security skills in their organization
London, UK - 22 October 2019 – In today’s multigenerational workforce, the over-30s are more likely to adopt cybersecurity good practice than their younger colleagues who have grown up with digital technology. This is according to a report on generational attitudes to cybersecurity from the Security division of NTT Ltd. a leading global technology services company.
NTT’s report identified good and bad practice for organizations researched as part of its Risk:Value 2019 report, scored across 17 key criteria. This revealed that under-30s score 2.3 in terms of cybersecurity best practice, compared to 2.9 for 30-45 year-olds and 3.0 for 46-60 year-olds.
The data suggests that a person born in the digital age wouldn’t necessarily follow cybersecurity best practice. In fact, employees who have spent longer in the workplace gaining knowledge and skills and acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.
Under-30s, who are born into the digital age, on the other hand, are more laid back about cybersecurity responsibilities. They adopt different working practices and expect to be productive, flexible and agile at work using their own tools and devices. However, half of respondents think that responsibility for cybersecurity rests solely with the IT department. This is 6% higher than respondents in the older age categories.
Top generational differences in attitudes to cybersecurity:
- Under-30s are more likely to consider paying a ransom demand to a hacker (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.
- Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn’t have the right cybersecurity skills and resources in-house. This is 4% higher than for over-30s.
- The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days – six days less than the time estimated by older age groups (68 days).
- Younger workers are more accepting of personal devices at work and consider them less of a security risk (71%) than older workers (79%). However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).
- 81% believe cybersecurity should be an item on the boardroom agenda, compared to 85% of over-30s.
Key regional differences
Under-30s in Brazil and France emerge as cybersecurity leaders in their countries; the result of the French government’s cybersecurity agency’s specific focus four years ago to raise awareness of cybersecurity issues among children and students. In Brazil, digital infrastructure was rolled out later than in North America, Europe and Asia Pacific, meaning that middle-aged employees have had less exposure to digital. In the Nordics, USA, Hong Kong and the UK – all digitally advanced countries – older employees have plenty of ‘digital DNA’, but these countries must ensure that under-30s continue to learn and embrace cybersecurity skills and behaviours.
Adam Joinson, Professor of Information Systems, University of Bath, an expert on the intersection between technology and behaviour, comments: “There is no ‘one size fits all’ approach to cybersecurity. The insights from the NTT study demonstrate that treating all employees as posing the same risk, or having the same skills, is problematic for organizations. We do need to be careful not to assume that the under-30s simply don’t care so much about cybersecurity. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.
“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”
Matt Gyde, CEO, Security, NTT Ltd., adds: “NTT’s research has uncovered contrasting attitudes and behaviours on cybersecurity from different generations. It’s clear from the research that the workforce has a very different approach and attitude to cybersecurity, depending on age. Businesses must transform their approach to security if they are to engage all generations. Most important is ensuring that employees understand that security is everyone’s business, and isn’t simply a role for IT, as has been the case in the past. Different generations use technology in very different ways and business leaders need to recognise that strong cybersecurity practices for all generations within the business is an enabler and not a barrier. Security leaders should make themselves more approachable and talk the language of business, not IT. Education is also fundamental to change in cybersecurity behaviour, so make the learning process interesting and relevant to all generations in the workforce.”
Cybersecurity best practice in a multigenerational workforce:
- Security culture must include all generations and be supported by a diverse range of employee champions, which includes age.
- Build a panel of younger employees and listen to their views on cybersecurity.
- Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business.
- Make cybersecurity everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events.
- Where skills shortages are most acute, support learning programmes, mentoring and consider external support.
- Education is vital. Gamify security learning and make it fun for all.
More information is available at: https://hello.global.ntt/en-us/insights
Notes for Editors:
The NTT data cited in this report was collected through global research commissioned in 2019 involving 2,256 organizations in 17 sectors across 20 countries and conducted by Jigsaw Research. Respondents were senior decision-makers outside of the IT department, with 20% holding a C-level position. Overall results were published in the Risk:Value 2019 Report and related content. From the responses to the research, NTT identified good practice and bad practice in cybersecurity, with each business being accordingly given a score of between -41 and +27. The average organization scored +3. NTT then considered the score of the organization by age of respondent.
About Professor Adam Joinson
Professor Adam Joinson is Professor of Information Systems at the University of Bath. He has worked closely with a range of large organizations on security culture and behaviour, as well as contributing to guidance from CPNI, NCSC and ENISA. He is the University of Bath lead for a new Centre for Doctoral Training in cybersecurity (with the University of Bristol), and leads the ‘online behaviour’ strand in the Centre for Research and Evidence on Security Threats (www.crestresearch.ac.uk), the national hub for applying behavioural and social science to security. He has published over 100 articles, chapters and books on technology, behaviour, cybersecurity and privacy.
About Security and NTT Ltd.
Security is a division of NTT Ltd., a global technology services company bringing together the expertise of leaders in the field, including NTT Communications, Dimension Data, and NTT Security. The Security division helps clients create a digital business that is secure by design. With unsurpassed threat intelligence, we help you to predict, detect, and respond to cyberthreats, while supporting business innovation and managing risk. Security has 10 SOCs, seven R&D centers, over 2,000 security experts and handles hundreds of thousands of security incidents annually across six continents. Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology.
NTT Ltd. partners with organizations around the world to shape and achieve outcomes through intelligent technology solutions. For us, intelligent means data driven, connected, digital, and secure. As a global ICT provider, we employ more than 40,000 people in a diverse and dynamic workplace, and deliver services in over 200 countries and regions. Together we enable the connected future. Visit us at our new website hello.global.ntt
Senior Vice President – Communications
M: +44 (0) 7769 960 966