Millennials are casual about cybersecurity finds NTT study

Mumbai, October 27 2019: The over-30s are more likely to adopt cybersecurity good practice than their younger colleagues who have grown up with digital technology, finds a study by the Security division of  global technology services company NTT Ltd.
The report  focuses on generational attitudes to cybersecurity and identifies good and bad practice for organizations researched as part of its Risk:Value 2019 report, scored across 17 key criteria. This revealed that under-30s score 2.3 in terms of cybersecurity best practice, compared to 2.9 for 30-45-year-olds and 3.0 for 46-60-year-olds.
The data suggests that a person born in the digital age wouldn’t necessarily follow cybersecurity best practice. In fact, employees who have spent longer in the workplace gaining knowledge and skills and acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.
Under-30s, who are born into the digital age, on the other hand, are more laid back about cybersecurity responsibilities. They adopt different working practices and expect to be productive, flexible and agile at work using their own tools and devices. However, half of respondents think that responsibility for cybersecurity rests solely with the IT department. This is 6% higher than respondents in the older age categories.
Top generational differences in attitudes to cybersecurity:

  • Under-30s are more likely to consider paying a ransom demand to a hacker (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.
  • Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn’t have the right cybersecurity skills and resources in-house. This is 4% higher than for over-30s.
  • The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days – six days less than the time estimated by older age groups (68 days).
  • Younger workers are more accepting of personal devices at work and consider them less of a security risk (71%) than older workers (79%). However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).
  • 81% believe cybersecurity should be an item on the boardroom agenda, compared to 85% of over-30s.

Key regional differences
Under-30s in Brazil and France emerge as cybersecurity leaders in their countries; the result of the French government’s cybersecurity agency’s specific focus four years ago to raise awareness of cybersecurity issues among children and students. In Brazil, digital infrastructure was rolled out later than in North America, Europe and Asia Pacific, meaning that middle-aged employees have had less exposure to digital. In the Nordics, USA, Hong Kong and the UK – all digitally advanced countries – older employees have plenty of ‘digital DNA’, but these countries must ensure that under-30s continue to learn and embrace cybersecurity skills and behaviours.
Link to the report: Cybersecurity and the next generation
India specific insights
For each organization in the research for the last two years, NTT analysed the responses for good and bad practice in cybersecurity. The results show a worrying lack of progress: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two percent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice. Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the USA and the UK.

  • According to NTT’s report, both 94% of respondents over-30s and 89% of under- 30s believe that preventing a security attack should be a regular boardroom agenda. (please note these are C level executives/ key decision makers)
  • However, despite a high percentage of people believing that cybersecurity needs more boardroom attention, around 57% of under 30  and 55% of over-30s believe that they are ill-prepared to face a security attack due to lack of resources and skilled professionals compared to rest of the respondents from other countries. This shows a clear gap in cybersecurity awareness and cybersecurity preparedness.
  • The survey was conducted across 20 countries and 17 sectors and interestingly -  Indian respondents including over 30 and under 30 rank high in believing to pay ransom to hackers than invest in security because its cost effective. An insight that reflects how the industry is yet to grasp the intrinsic value of robust cybersecurity postures and its long-term benefits.
  • Respondents under 30s also perceive Internet of Things (IoT) to be a potential security threat to an organisation at 84% compared to 69% of over 30s – a interesting observation given the younger workers have been born in the digital age and have grown using different digital tools.