But let’s not confuse “tech savvy” with “security savvy.” The fact is all generations tend to get distracted and make mistakes. Without proper security awareness training, anyone could violate an office policy, fall for a scam, or reuse the same password across accounts.
The need for security awareness won’t go away when millennials dominate your investor base and office staff, but at the same time, there are differences in the way millennials approach technology and learning. Let’s go over a few key characteristics and how they may affect the security awareness training you provide your staff and clients.
According to a Gallup poll, “across every business type and industry . . . millennials are the generation that is most trusting of institutions to safeguard their personal data.” As millennials grew up with computers, they tend to trust technology more than generations that didn’t have access to the Internet all their lives.
For security, this is a double-edged sword. It’s a plus that millennials trust technology; more trust means more use and experience. But it also means they’re more likely to let their guard down, leading to more security threats. Decisions that should require a level of consideration—like sharing files or downloading software—become second-nature to millennials, which isn’t ideal for the workplace. A study from First Data shows how this trust could spell bad news:
Though differences between the generations aren’t extreme, these stats show that baby boomers tend to be a bit more cautious than millennials when it comes to technology risks. So yes, we can call millennials more tech savvy, but more time spent on tech usually means more exposure to risk.
Speaking of trust, the First Data study finds that, “when it comes to social media security . . . 63 [percent] of baby boomers thought social media was vulnerable to cyberattacks, while only 45 [percent] of millennials agreed with that statement.” Millennials clearly place far more trust in social media than the generations before them do.
But it’s true; social media is open to unique cyber threats, such as:
Millennials grew up with social media, but do they have enough skepticism to exercise caution when checking posts and messages?
There is a silver lining. Social media offers a great opportunity to share tips and articles about security awareness and expand your reach to your target audience. Obviously, it isn’t the best platform to teach your staff about policy, but a simple gesture like sharing recent news of a major third-party breach or tips for holiday shopping can help get both clients and staff thinking about their security habits.
Gamification—turning lessons into games—is a relatively new concept that’s taking workplace education by storm. The idea is that the more training feels like a game, the more engaged your audience will be. This is even more relevant to millennials, a generation that grew up during the boom of home video game consoles.
If you search the Internet for security education products, you’ll find plenty built entirely on the gamification concept. If these are too much of a commitment (price- and effort-wise) for a small office, there are still ways to incorporate elements of games without going overboard.
Incentives and rewards. In 2017, we decided to reward those at the home office who hadn’t clicked on our phishing assessments all year. We hand-delivered bags of Commonwealth-branded fish candies to everyone who “won.” It’s harmless fun, but it’s an incentive, and it turns something dry (phishing training) into a competition.
In 2018, the number of winners for the year went up so much that only a handful of employees would miss out on candy. So, instead, we rewarded the entire company for reaching such a low click rate. We also post our phishing stats for everyone to see, so employees can understand how they compare and how their behaviors affect the rest of the Commonwealth community.
It can be that simple to make your training more competitive, rewarding, and game-like, whether it’s reinforcing your policies or teaching staff how to handle sensitive information. Ask yourself:
Security awareness is critical for all staff and clients—not just the older generations—and training that appeals to all audiences will prove much more effective than training that targets a single generation.
Given the pace at which new technology becomes available, there will always be security threats. Even if passwords and phishing are gone one day, there will always be the need for some level of security awareness; technology requires human interaction to make it work.
If people aren’t getting it, it could be that we aren’t thinking enough like them. It’s important to understand the differences between generations—and how you can tailor your security awareness training to make it work for everyone.
Are there other methods you use to train a multigenerational staff about security awareness and minimizing exposure to risk? What have you found works best? Share your thoughts below!