OK, Boomers: In Spotting Cyber Threats, Gen Xers and Younger Do No Better Than Graybeards
Share with Your Network
“Let’s ask the young person.” You’ve heard it said in many meetings. You’ve maybe even said it yourself. For many, it’s easy to assume that when a question or idea is tech or social media related, younger generations will show us the way. However, recent data reveals when it comes to basic cybersecurity practices, the newest addition to the workforce may not be as savvy as we think.
A recent TalentLMS survey asked 1,200 employees about basic cybersecurity habits and awareness of best practices. Aside from simple cybersecurity hygiene, the survey tested respondents on how well they could pick out phishing attempts and other infiltration efforts.
The results were dismal.
With a passing grade of four out of seven questions, here’s a quick breakdown of the fail rates by age group:
Is anyone really security savvy? Not by a long shot.
This might make you feel like adding a point to the veteran’s scoreboard, but don’t strain something high-fiving your fellow graybeards just yet (also, you might want to stretch a bit first). This isn’t awesome news. In fact, it underlines the effectiveness of today’s sophisticated phishing efforts and the apparent holes in most cyber training. The bad guys are getting really good at being bad. So much so that Gen Z (now the youngest and most internet-dependent generation in the workforce) is actually more susceptible to being duped by threat actors than Boomers (sorry, that should’ve come with a warning).
But not by much. Fail rates were high across the board, leading many to reassess and revamp their approach to cybersecurity training. While it’s a necessary evil of most any workplace, cybersecurity training is often overlooked. Only 69% of respondents said they received some kind of cybersecurity training. While that might sound positive, in a world that operates almost exclusively online, that leaves significant room for improvement.
Other key findings from this survey reveal even more disheartening trends, which seem to just get progressively more surprising and worrisome as they go.
- The number of employees who stored passwords in plaintext surpassed the number who utilized much-preferred password managers
- A mere 17% of information services employees passed the quiz
- Out of the 69% who received training, 61% failed
(And lest you think this must have been a truly difficult survey, we invite you to take the quiz yourself.)
How to cope with poor cybersecurity hygiene
Now that we know the reality, we can make a game plan to account for less-than-stellar security awareness. Here are a few ways you can fortify your front line and your infrastructure to account for error-prone employees.
Make it fun—and frequent
With human error accounting for 95% of all breaches, you still need to implement cybersecurity training. Many companies have opted to inject elements of fun into their company-wide security program. Gamification, top performer recognition, discussions and debates, and hands-on live training sessions have increased engagement and understanding of safe security practices.
One common thread throughout companies looking to improve cybersecurity training is increased frequency. An annual training push is not going to increase your employee’s ability to spot cyber threats. Instead, up your official training sessions to once a month to keep the conversation alive and newly learned skills and knowledge fresh.
Keep it strict
Your goal is to reduce the opportunities for error. Leave no wiggle room when it comes to your company’s security policies and practices.
- Implement 2-factor authentication
- Require monthly password updates
- Employ strict permissions and data authorization
- Monitor employee activity
- Train on step-by-step protocol in the case of lost or stolen devices, data breaches, phishing attacks, etc.
And don’t be held back with concerns about employee reluctance. If employees are invited to participate in fun and engaging training efforts, they will be more likely to comply with heightened measures.
Establish a foundation of reducing risk
While your employees are working hard reducing risk on the front lines, your Security environment should bring up the rear. Workforce aside, your organization has thousands (possibly millions) of vulnerabilities, and without effective risk prioritization you’re likely missing potentially high-risk vulns. With CVSS-based prioritization approaches, the number of vulns deemed high or critical can be inflated, wasting your finite remediation resources and hurting your efforts to lower your risk profile.
Shifting to a proactive, data-driven risk prioritization strategy helps you target the biggest vulnerabilities that will lower the most risk. By isolating your organization’s riskiest vulnerabilities, you’re optimizing resources, keeping teams running efficiently, and making meaningful strides in risk reduction. And if your perimeter is leaky, a strong risk-based vulnerability management program will give attackers fewer targets to exploit.
Biggest takeaway: There’s room for improvement
No matter what your current security state looks like regarding employee security awareness or environmental fortitude, these latest TalentLMS findings emphasize how there’s plenty of room for improvement. And sobering survey results such as these can trigger the dramatic upgrades needed to make real foundational change.
Your action items: build out your employee cybersecurity training efforts and ensure your vulnerability management approach can account for inevitable human error.