Millennials are commonly seen as tech savvy because they’re the first generation to grow up with computers. As children, they had their own AOL screennames; as preteens, they lived on Myspace; and as teenagers and young adults, they were early adopters of Facebook. These early-age technological experiences just weren’t possible for Gen Xers and baby boomers.
But let’s not confuse “tech savvy” with “security savvy.” The fact is all generations tend to get distracted and make mistakes. Without proper security awareness training, anyone could violate an office policy, fall for a scam, or reuse the same password across accounts.
The need for security awareness won’t go away when millennials dominate your investor base and office staff, but at the same time, there are differences in the way millennials approach technology and learning. Let’s go over a few key characteristics and how they may affect the security awareness training you provide your staff and clients.
In Technology We Trust
According to a Gallup poll, “across every business type and industry . . . millennials are the generation that is most trusting of institutions to safeguard their personal data.” As millennials grew up with computers, they tend to trust technology more than generations that didn’t have access to the Internet all their lives.
For security, this is a double-edged sword. It’s a plus that millennials trust technology; more trust means more use and experience. But it also means they’re more likely to let their guard down, leading to more security threats. Decisions that should require a level of consideration—like sharing files or downloading software—become second-nature to millennials, which isn’t ideal for the workplace. A study from First Data shows how this trust could spell bad news:
- A whopping 86 percent of baby boomers consult IT before downloading free applications or software to work computers, while only 75 percent of millennials do the same.
- While 34 percent of baby boomer employees are always conscious of the security threat their online actions might pose, only 21 percent of millennial employees maintain the same awareness.
- Nearly three-quarters of baby boomers avoid storing work-related data on personal electronics, whereas only 69 percent of millennials are equally as careful.
Though differences between the generations aren’t extreme, these stats show that baby boomers tend to be a bit more cautious than millennials when it comes to technology risks. So yes, we can call millennials more tech savvy, but more time spent on tech usually means more exposure to risk.
Socializing or Cyber Threat?
Speaking of trust, the First Data study finds that, “when it comes to social media security . . . 63 [percent] of baby boomers thought social media was vulnerable to cyberattacks, while only 45 [percent] of millennials agreed with that statement.” Millennials clearly place far more trust in social media than the generations before them do.
But it’s true; social media is open to unique cyber threats, such as:
- More sophisticated phishing (attackers can “clone” profiles of people you know)
- Malicious shortened URLs (e.g., bit.ly, tinyurl)
- Illegitimate third-party apps with too many permissions
- Accidentally posting sensitive information
Millennials grew up with social media, but do they have enough skepticism to exercise caution when checking posts and messages?
There is a silver lining. Social media offers a great opportunity to share tips and articles about security awareness and expand your reach to your target audience. Obviously, it isn’t the best platform to teach your staff about policy, but a simple gesture like sharing recent news of a major third-party breach or tips for holiday shopping can help get both clients and staff thinking about their security habits.
All Work and No Play . . .
Gamification—turning lessons into games—is a relatively new concept that’s taking workplace education by storm. The idea is that the more training feels like a game, the more engaged your audience will be. This is even more relevant to millennials, a generation that grew up during the boom of home video game consoles.
If you search the Internet for security education products, you’ll find plenty built entirely on the gamification concept. If these are too much of a commitment (price- and effort-wise) for a small office, there are still ways to incorporate elements of games without going overboard.
Incentives and rewards. In 2017, we decided to reward those at the home office who hadn’t clicked on our phishing assessments all year. We hand-delivered bags of Commonwealth-branded fish candies to everyone who “won.” It’s harmless fun, but it’s an incentive, and it turns something dry (phishing training) into a competition.
In 2018, the number of winners for the year went up so much that only a handful of employees would miss out on candy. So, instead, we rewarded the entire company for reaching such a low click rate. We also post our phishing stats for everyone to see, so employees can understand how they compare and how their behaviors affect the rest of the Commonwealth community.
It can be that simple to make your training more competitive, rewarding, and game-like, whether it’s reinforcing your policies or teaching staff how to handle sensitive information. Ask yourself:
- How can I recognize my employees for good security behavior?
- Are there any interactive resources out there I could share with clients over social media? Two great examples are:
- What metrics can I share with staff to incentivize change?
Adapting to Your Audience
Security awareness is critical for all staff and clients—not just the older generations—and training that appeals to all audiences will prove much more effective than training that targets a single generation.
Given the pace at which new technology becomes available, there will always be security threats. Even if passwords and phishing are gone one day, there will always be the need for some level of security awareness; technology requires human interaction to make it work.
If people aren’t getting it, it could be that we aren’t thinking enough like them. It’s important to understand the differences between generations—and how you can tailor your security awareness training to make it work for everyone.
Are there other methods you use to train a multigenerational staff about security awareness and minimizing exposure to risk? What have you found works best? Share your thoughts below!