Survey uncovers growing generational
preparedness gap as Gen Z and Millennials continue to fall short of
enacting safe cyber practices
NEW
YORK, May 6, 2024 /PRNewswire/ -- Widespread
concerns are growing among US employees about escalating
cybersecurity threats in the workplace, with 53% worried their
organization will be the target of a cyber attack and a third (34%)
worried that they may be the ones leaving their organization
vulnerable due to their actions, according to new data from Ernst
& Young LLP (EY US). Notably, fear of exposing their
organization to a cyber attack is particularly high among younger
generations, with Gen Z and Millennial employees less likely to
feel equipped to identify and respond to cyber threats compared to
their older colleagues.
The 2024 Human Risk in Cybersecurity Survey is a study of 1,000
employed Americans across public and private sectors that follows
the initial 2022 analysis by EY US and explores the current state
of cybersecurity and changes over time, revealing key insights for
business leaders on cybersecurity awareness and practices. This
year, EY US expanded the study to analyze employee perception of
the role of artificial intelligence (AI) in escalating threats,
finding 85% of workers believe AI has made cybersecurity attacks
more sophisticated, 78% are concerned about the use of AI in cyber
attacks and 39% of employees are not confident that they know how
to use AI responsibly.
"With new threats emerging on a near-constant basis fueled by
geopolitical tensions, shifting regulations and the rapid
integration of new technologies, including AI, the risk landscape
has become even more complicated," said Jim Guinn, II, EY Americas Cybersecurity Leader.
"Want to secure your organization today and in the future? Put
humans at the center of your cyber strategy and enlist your people
as protectors on the frontlines, arming them with knowledge,
training and a dose of healthy skepticism about all digital
interactions."
Closing the Gen Z cybersecurity preparedness gap
Similar to the 2022 findings, the latest EY US cybersecurity
study highlights a persistent gap in preparedness across
generations, with younger workers continuing to fall short of
exercising safe cybersecurity practices more so than older
generations.
In fact, Gen Z is losing confidence in their ability to
recognize phishing attempts — one of the most common and successful
tactics of social engineering attacks — and is most likely to admit
to opening a suspicious link. And now, with the power of
AI-generated phishing emails, spotting malicious links and content
is getting even harder. Although they are a digital-first
generation, only 31% of Gen Z feel very confident identifying
phishing attempts, marking an alarming nine percentage point drop
from 40% in 2022, and 72% said they have opened an unfamiliar link
that seemed suspicious at work, far higher than Millennials (51%),
Gen X (36%) and Baby Boomers (26%).
Nearly two-in-three Gen Z and Millennial workers are
particularly fearful about repercussions surrounding cybersecurity,
including 64% of Gen Z and 58% of Millennials who fear they would
lose their job if they ever left their organization vulnerable to
an attack. Younger generations are also more likely to not fully
understand what their organization's process is to report suspected
cyber attacks, even though their organization has a process in
place (39% Gen Z and 29% Millennials vs. 19% Gen X and 15% Baby
Boomers).
However, it's not all doom and gloom. Despite concerns around
their abilities to prevent an attack, EY research indicates that
Gen Z workers increasingly consider themselves knowledgeable about
cybersecurity (86% vs. 75% in 2022), pointing to opportunities to
better equip younger workers to turn this knowledge into confidence
by investing in upskilling and training that caters to their unique
experience as true digital natives.
Cultivating a culture of cyber confidence
The rapidly evolving nature of AI has made it essential for
organizations to adapt training protocols regularly and remain
committed to providing frequent, up-to-date training that addresses
the latest AI-driven threats and cybercrime trends. A vast majority
of employees (91%) say organizations should regularly update their
training to keep pace with AI, especially as AI's role evolves in
cyber threats; but only 62% say their employer has made educating
employees about responsible AI usage a priority.
"Cybersecurity training and attention from leaders across the
C-suite contributes to the development of a strong security posture
within an organization," said Dan
Mellen, EY Americas Consulting Cybersecurity Chief
Technology Officer. "When security practices are ingrained in the
company culture, employees are more likely to prioritize security
in their day-to-day activities and proactively report potential
security incidents."
The EY Cybersecurity team advises C-suite and senior business
leaders to incorporate the following leading practices in their
cyber agenda to cultivate a strong and confident security culture
within their organization:
- Build robust training exercises that are reinforced
year-round. EY US research finds employees who are "rusty" on
cybersecurity training are most fearful of using technology at
work. Conversely, 94% of employees who received training within the
past year say cybersecurity is a priority to them.
- Drive employee engagement with gamification.
Leaderboards and multiplayer features in gamified training programs
encourage healthy competition among employees, driving them to
perform better. Gamification is particularly effective for
anti-social engineering campaigns if it addresses the natural human
curiosity that often leaves employees vulnerable.
- Partner, don't police. Organizations testing their
employees to see if they handle cybersecurity threats appropriately
can inadvertently turn cyber training into a "gotcha" moment.
Position cybersecurity protocols as working in partnership
with their employees, not as police, by embracing a "see something,
say something" policy instead. Make the process for reporting
potential attacks and vulnerabilities simple enough that workers
across all generations can seamlessly integrate it into their
day-to-day lives.
- Incorporate hands-on AI training protocols. Including
protocols that incorporate hands-on training for the use of AI in
the workplace offers employees exposure to fundamental capabilities
and risks. Having firsthand experience using new technologies like
generative AI unlocks a new level of understanding and drives
defensive thinking.
- Lead by example with responsible AI: Thirty-nine percent
of employees are not confident that they know how to use AI
responsibly, according to EY US research. As stewards of their
organization, C-suite and senior leaders must embrace transparency
surrounding how AI is developed and deployed enterprise-wide and
demonstrate responsible AI practices themselves to mitigate
risks.
Methodology
EY US commissioned a third party to conduct the 2024 Human Risk
in Cybersecurity Survey. The online survey among n=1,000 full-time
and part-time US employees ages 18+ whose current job requires the
use of a work-issued laptop/computer (i.e., a tech-enabled
professional). The sample was balanced across age, gender,
household income, race and ethnicity, and region. The survey was
fielded between March 7–15, 2024. The margin of error (MOE) for the
total sample is +/- 3 percentage points.
About EY
EY exists to build a better working world, helping create
long-term value for clients, people and society and build trust in
the capital markets.
Enabled by data and technology, diverse EY teams in over 150
countries provide trust through assurance and help clients grow,
transform and operate.
Working across assurance, consulting, law, strategy, tax and
transactions, EY teams ask better questions to find new answers for
the complex issues facing our world today.
EY refers to the global organization, and may refer to one or
more, of the member firms of Ernst & Young Global Limited, each
of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide
services to clients. Information about how EY collects and uses
personal data and a description of the rights individuals have
under data protection legislation are available via ey.com/privacy.
EY member firms do not practice law where prohibited by local laws.
For more information about our organization, please visit
ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst
& Young Global Limited operating in the US.
View original content to download
multimedia:https://www.prnewswire.com/news-releases/new-ey-research-reveals-cybersecurity-fears-are-on-the-rise-among-us-workers-with-a-vast-majority-concerned-about-ai-in-cybersecurity-302136735.html
SOURCE EY