Why cybersecurity training is not enough to mitigate human risk factors

Gen Z and millennials are less serious about cybersecurity on work-issued devices than personal, according to new EY Consulting survey.

In brief

• 83% of US employees understand their employer’s cybersecurity protocols, but Gen Z and millennial workers are least likely to prioritize or adhere to them.
• Roughly half of Gen Z and one-third of millennial employees admit to taking cybersecurity protection on personal devices more seriously than on work devices.
• Gen Z and millennials are significantly more likely to use the same password for professional and personal accounts and to disregard mandatory IT updates.

Cybersecurity risks are on the rise as remote and hybrid working environments create an expanded attack surface for hackers and more state-backed actors. EY’s 2022 EY Human Risk in Cybersecurity Survey finds that human risk in particular is growing as younger digital natives, who spent most of their lives embracing technology, enter the workforce.

The 2022 EY Human Risk in Cybersecurity Survey asked 1,000 employed Americans about their cybersecurity awareness and practices. Three-quarters (76%) of workers across generations consider themselves knowledgeable about cybersecurity, but younger generations, who grew up online and have lived with cyber risks the majority of their lives, are significantly more likely to take cyber risks, including:

• Disregarding mandatory IT updates for as long as possible (58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers)
• Using the same password for a professional account and personal account (30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers)
• Accepting web browser cookies on their work-issued devices all the time or often (48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers)

Human risk must be at the top of the security agenda

Most of the employee respondents (84%) feel prepared to avoid cybersecurity mistakes at work, but only one-third (35%) feel very prepared. In fact, half or fewer of the employees say they are very confident about how to follow specific cybersecurity practices at work, such as using strong passwords at work (50%), keeping their work devices up to date with cyber protection (43%), identifying phishing attempts (41%), avoiding ransomware (38%) and encrypting their data (32%).

“This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual,” said Tapan Shah, EY Americas Cybersecurity Leader. “There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise.”

Understanding employees’ workflows, identifying the moments of highest human risk, and then creating interruption points or behavior prompts focusing on an individual’s actions to follow the proper procedure can best minimize risk.

Prioritize cybersecurity education v. training

The 2022 EY Human Risk in Cybersecurity Survey found that role- and risk-based education can help improve cyber-safe practices. Respondents who received role-relevant cybersecurity training in the past year were significantly more likely to implement cyber-safe practices at work – including using strong passwords, keeping cyber protection software current on devices, identifying phishing attempts, avoiding ransomware and encrypting data – than employees who had not had any education for more than a year.

“Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk,” Shah said. “Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives.”

If employees suspect a cybersecurity breach (i.e., a phishing attempt, compromised passwords, etc.), the majority said their next step would be to contact their company’s IT department (81%) or their immediate supervisor (79%), which are typical company protocols. But one in six (16%)  would try to handle the situation themselves, which represents millions of workers in the U.S. A positive, human-centric security culture rewards cyber-safe practices – even when mistakes are made – to uses them as teaching moments.

To find more research on Gen Z, read the Gen Z study.

2022 EY Human Risk in Cybersecurity Survey methodology

EY US Consulting commissioned a third-party vendor to conduct the inaugural 2022 EY Human Risk in Cybersecurity Survey. The sample of 1,000 full- and part-time US employees ages 18+ whose current job requires the use of a work-issued laptop/computer (i.e., a tech-enabled professional) a majority of the time was completed between August 20 and August 29, 2022. The sample was balanced across age, gender, household income, race/ethnicity and region, and the margin of error (MOE) for the total sample is +/- 3 percentage points.