• United States



Andrew Flynn
Regional Executive Editor for North Atlantic

Millennials and Gen Z less likely to observe cybersecurity protocols than their elders

Oct 18, 20224 mins
CSO and CISOSecurity

According to an EY survey, younger US workers tend to ignore critical updates, be sloppy with passwords, and accept cookies despite understanding employer security practices.

Millennials and Gen Z employees in the US are much less likely to prioritize or adhere to cybersecurity protocols than their older Gen X and Baby Boomer counterparts, according to a recent survey by EY Consulting.

The survey suggests that despite understanding the need for security measures, younger, digitally native workers were significantly more likely to disregard mandatory IT updates for as long as possible (58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers). They were also more likely to use the same password for professional and personal accounts (30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers).

That was despite a finding that three-quarters (76%) of workers across generations consider themselves knowledgeable about cybersecurity.

Human risk data a “wake-up call” for employers

“This research should be a wake-up call for security leaders, CEOs, and boards, because the vast majority of cyber incidents trace back to a single individual,” Tapan Shah, EY Americas consulting cybersecurity leader, said in a press release. “There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages, and rewards everyone in the enterprise.”

Millennials are a demographic cohort born between the early 1980s and the mid-1990s to early 2000s, putting them somewhere around the early to mid-40s in age. Gen Z is generally considered to have been born between the mid-1990s and the early 2010s – placing them today somewhere between the early teen years and early 20s.

Shah believes it is precisely because they are accustomed to the process of cybersecurity and aware of the risks that the younger generations assume they don’t need to worry.

Millennials and Gen Z “desensitized” to cyber risk

“Millennials and especially Gen Z grew up as digital natives integrating technology into their daily lives and expect their employers to already have seamlessly integrated cybersecurity protections,” Shah tells CSO. “They also grew up where cyber breaches regularly occur. In a way, they are desensitized to the risks and despite the precautions they take, they believe cyber incidents are inevitable.”

The survey also found that the younger generations were more likely to accept web browser cookies on work-issued devices all the time or often (48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers).

Among other responses across all employee age groups:

  • 84% percent felt prepared to avoid cybersecurity mistakes at work.
  • Only 35% felt very prepared to avoid cybersecurity mistakes.
  • 50% were very confident about how to use strong passwords.
  • 43% were very confident about how to keep work devices up to date with cyber protection.
  • 41% were very confident about how to identify phishing attempts.
  • 38% were very confident about how to avoid ransomware.
  • 32% were very confident about how to encrypt their data (32%).

Cybersecurity education is the solution

According to EY, the solution to improving cyber-safe practices is role- and risk-based education for employees. The survey found that respondents who received cybersecurity training relevant to their role in the past year were significantly more likely to implement cyber-safe practices at work than those who had received no education for more than a year.

“Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk,” Shah said. “Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives.”

The survey, conducted between August 20 and August 29, 2022, for EY by a third party, sampled 1,000 full- and part-time US employees ages 18 and above whose job requires the use of a work-issued laptop or computer. The sample was balanced across age, gender, household income, race/ethnicity, and region. The margin of error is estimated to be +/- 3 percentage points.

Andrew Flynn
Regional Executive Editor for North Atlantic

Andrew Flynn manages the enterprise IT content at the Canada, Ireland, Netherlands/Benelux, and UK editions of, CSO Online, Computerworld, InfoWorld, and Network World. Before joining Foundry, he worked at Business News Network, Financial Post, and the Canadian Press.

More from this author