The survey revealed that Gen Z and Millennials continue to lack the ability to implement secure cyber practices, widening the generational readiness gap.
New data from Ernst & Young shows widespread concern among U.S. employees about growing cybersecurity threats in the workplace, with 53% worried their organization will be targeted in a cyberattack and a third (34%) worried their own actions will make their organization vulnerable.
Notably, fears of organizations being exposed to cyberattacks are particularly high among younger generations, with Gen Z and millennial employees less likely to feel prepared to identify and respond to cyberthreats compared to their older colleagues. The 2024 Cybersecurity People Risk Study follows EY US’s first analysis in 2022 of 1,000 employed Americans in the public and private sectors, exploring the current state of cybersecurity and how it has changed over time, revealing key insights for business leaders about cybersecurity perceptions and practices. This year, EY US expanded its survey to analyze employee perceptions of the role of AI in growing threats, finding that 85% of workers believe AI has made cybersecurity attacks more sophisticated, 78% are concerned about the use of AI in cyberattacks, and 39% of employees are not confident they know how to use AI responsibly.
“The risk landscape is becoming more complex with new threats emerging almost constantly, driven by geopolitical tensions, regulatory changes and the rapid integration of new technologies, including AI,” said Jim Ginn, Cybersecurity Leader, EY Americas. “Want to protect your organization now and into the future? Put people at the center of your cyber strategy and employ your employees as frontline defenders, equipping them with the knowledge, training and healthy skepticism of every digital interaction.”
Closing the Gen Z Cybersecurity Gap
Similar to the 2022 findings, EY’s latest U.S. cybersecurity survey highlights that gaps in generational readiness remain, with younger workers remaining less adept at implementing secure cybersecurity practices than older generations.
In fact, Gen Z is less confident in their ability to spot phishing attacks – one of the most common and effective tactics in social engineering attacks – and are the most likely to admit to opening suspicious links. And now, the power of AI-generated phishing emails is making malicious links and content even harder to spot.
Despite being a digital-first generation, only 31% of Gen Z feel very confident in identifying phishing scams, a staggering nine percentage points drop from 40% in 2022. Additionally, 72% say they have opened an unfamiliar link at work that seemed suspicious, far more than Millennials (51%), Gen X (36%) and Baby Boomers (26%).
Nearly two in three Gen Z and Millennial workers are particularly anxious about the implications surrounding cybersecurity, with 64% of Gen Z and 58% of Millennials fearing they will lose their jobs if they leave their organization vulnerable to attack. Younger generations are also more likely to not fully understand their organization’s process for reporting a suspected cyberattack, despite the organization having a process in place (39% of Gen Z and 29% of Millennials vs. 19% of Gen X and 15% of Baby Boomers).
But it’s not all doom and gloom: EY research shows that Gen Z workers are increasingly likely to consider themselves knowledgeable about cybersecurity (86% vs. 75% in 2022), despite concerns about their ability to prevent attacks. This suggests that there is a better opportunity for younger workers to turn this knowledge into confidence by investing in upskilling and training that caters to their unique experiences as true digital natives.
Cultivating a culture of cyber trust
Because AI is rapidly evolving, it is essential that organizations regularly adapt their training protocols and continue to provide frequent, up-to-date training that addresses the latest AI threats and cybercrime trends. The majority of employees (91%) say their organization needs to regularly update their training to keep up with AI, especially as its role in cyberthreats evolves. Yet, only 62% say their employer has made it a priority to educate employees on responsible AI use.
“Cybersecurity training and attention from senior executives contribute to building a strong security posture within an organization,” says Dan Mellen, cybersecurity chief technology officer at EY Americas Consulting. “When security practices are ingrained in a company’s culture, employees are more likely to prioritize security in their daily work and proactively report potential security incidents.”
To foster a strong and confident security culture within their organisations, the EY cybersecurity team advises C-level and senior business leaders to incorporate the following key practices into their cyber agenda:
- Build strong training exercises that will grow throughout the year. According to the EY US survey, employees who are “unfamiliar” with cybersecurity training are the most anxious about using technology in the workplace. Conversely, 94% of employees who received training within the past year said cybersecurity is a priority for them.
- Increase employee engagement with gamification. Leaderboards and multiplayer features in gamified training programs encourage healthy competition among employees, encouraging them to perform better. Gamification is particularly effective against anti-social engineering campaigns when it plays into the natural human curiosity that often makes employees vulnerable.
- Partner, don’t crack down. Organizations that test employees to see if they’re handling cybersecurity threats appropriately can unintentionally turn cyber training into an “I’m done” moment. Instead, adopt an “if you see something, say something” policy and position cybersecurity protocols as working in collaboration with employees, not as a police force. Make the process of reporting potential attacks or vulnerabilities simple enough that employees of all generations can seamlessly integrate it into their daily lives.
- Incorporate practical AI training protocols. Embedding protocols that incorporate hands-on training on the use of AI in the workplace exposes employees to basic capabilities and risks. Direct use of new technologies such as generative AI brings new levels of understanding and fosters defensive thinking.
- Lead by example with responsible AI: According to an EY US survey, 39% of employees are not confident in their knowledge of how to use AI responsibly. As stewards of organizations, C-suite and senior executives need to ensure transparency into how AI is developed and deployed across the enterprise and implement responsible AI practices themselves to mitigate risks.
Click below to share this article