Skip links

Millennials, Gen Z actually suck at workplace security

It’s just as you suspected: your Gen Z and millennial coworkers just aren’t taking cybersecurity at work seriously enough. 

Professional services firm EY made that determination after speaking to 1,000 US workers whose current job requires the use of a work-issued laptop/computer a majority of the time. While 83 percent of respondents said they understood their employer’s security protocols, the data points to a disconnect between understanding and implementation.

According to EY’s findings, 58 percent of Gen Z and 42 percent of millennial respondents said they disregard mandatory IT updates for as long as possible, something only 15 percent of boomers and 31 percent of Gen X admitted to. 

Roughly one-third of Gen Z and millennials said they reuse passwords between personal and business accounts, something that less than a quarter of older respondents cop to, while nearly a half of Gen Z and millennials were “likely to accept web browser cookies on their work-issued devices all the time or often,” which 31 percent of Gen X and 18 percent of baby boomer respondents also do.

“There is an immediate need for organizations to restructure their security strategy with human behavior at the core,” said EY America’s Consulting Cybersecurity Leader Tapan Shah.

The behavior Shah and EY are urging companies to break in their younger employees is an apparent apathy toward technology that would make a Gen Xer proud, with much of that attitude stemming from an over familiarity with tech.

Hipster whines at tech mag for using his pic to imply hipsters look the same, discovers pic was of an entirely different hipster


EY did not define ranges for the four generations included in the report.

Not the first inter-generational blame rodeo

One doesn’t need to look far to find additional evidence that Gen Z and millennials are damaging organizational cybersecurity postures – studies and stories to that effect abound online. 

Tech services company NTT released a report in 2019 which found similarly that younger workers, classified as those under 30, were “laid back about cybersecurity responsibilities.” NTT concluded that age and familiarity with the digital world were less likely than knowledge and skills acquired at work for improving security behaviors.

But let’s be frank. The fact that a third of Gen X and around a sixth of baby boomers disregard updates, use work passwords for personal accounts, and accept web cookies equates to millions of workers with poor security practices. Businesses need to consider everyone a potential weak link. 

“Increasing enterprise-wide security … requires a holistic focus on the human,” Shah said. He added that companies have to focus on engaging every employee by embedding safety checks and protocols into workflows “that make the risks tangible in their professional and personal lives.”

Improve your posture today

The report’s timing couldn’t be better for organizations looking for a cue to overhaul their cybersecurity culture: 2021 was the worst year for cybercrime on record, the FBI said in a report earlier this year, and things aren’t looking quieter in 2022.

Per the FBI’s Internet Crime Complaint Center, businesses lost some $7 billion to cybercrime in 2021, with confidence tricks like phishing, tech support scams, business email compromise, and ransomware all cited as causes of the staggering losses.

Turning back to EY’s report, there’s an immediate link visible between it and the FBI’s statistics: only 41 percent of EY’s respondents said they were confident they could identify a phishing attempt, and only 38 percent were confident they could avoid ransomware.

While companies pour money into technical solutions, said Shah, “software, controls, processes and protocols are only part of the equation for minimizing cyber risk.” ®