Hook Younger Users With Cybersecurity Education Designed for Them

Even though baby boomers have garnered a reputation for being less digitally savvy than those from later generations, recent research suggests that younger does not necessarily translate to being better at cybersecurity.

Millennial and Gen Z Internet users more frequently engage in poor cybersecurity practices and risky behavior — such as reusing passwords, not enabling multifactor authentication, and not securing their payments information — making them vulnerable to cyberattacks. It's not that younger Internet users haven't been taught online safety, but rather that the training didn't stick. Organizations must tailor their cybersecurity education programs to fit audiences across demographics, run training sessions more frequently, and promote awareness throughout the year to ensure security messages aren't being forgotten or ignored.

According to a Yubico and OnePoll survey of 2,000 U.S. and U.K. consumers released in October, one in five boomers reuse their passwords, but nearly half (47%) of millennials said they do so. The survey also found less than one-fifth (19%) of baby boomers save their credit card information within their online accounts, which is less than the 37% of millennials who do the same. Nearly half (47%) of boomers also said they don't use multifactor authentication (MFA), don't know what it is, or aren't sure if they have it turned on, while 52% of millennials said the same, OnePoll found.

Younger users' failure to create different passwords across their digital accounts creates an opening for malware to infect their devices to steal their personal information, infect their devices with ransomware, or cause other disruptions, says Andrew Newman, founder and CTO of ReasonLabs. Password reuse also enables cybercriminals to break into systems via credential stuffing, he says. In addition, cybercriminals are increasingly using phishing kits adept at tricking victims into handing over tokens used with MFA and other credentials.

Time to Customize Security Education

Another October survey of more than 6,000 people in the US, the UK, Canada, Germany, France, and New Zealand, conducted by the National Cybersecurity Alliance (NCA), found that half of millennials and 56% of Gen Z respondents have access to cybersecurity training. In contrast, only 20% of the Silent Generation and 15% of baby boomers have access to cybersecurity training. However, less than half of Gen Z (43%) and 36% of millennials said they had been victims of cybercrimes.

If millennial and Gen Z Internet users are more likely to get cybersecurity awareness training than older users and yet are still vulnerable to cyberattacks, what will it take to urge younger users to take cybersecurity precautions? One answer may be by tailoring cybersecurity education programs specifically for younger audiences, says Lisa Plaggemier, executive director at the NCA.

Cybersecurity training programs typically involve instilling fear, usually with a picture of a hacker in a hoodie and cautionary tales of cyberattacks. That approach may not resonate with users, but in many cases the organization does not have the option to craft alternative captivating content, Plaggemier says. This is where the organization has to cast a wider net looking for different types of training materials or be creative about developing content themselves.

One alternative is the National Cybersecurity Alliance's video series aimed at younger viewers. "Kubikle" is a workplace comedy featuring cybercriminals of various nationalities who work to defraud victims. The goal of the series is to capture younger people’s attention by pushing the envelope, Plaggemier says.

Beyond creating comedic content, Plaggemier encourages companies to train new hires during their onboarding, continue that training for at least 10 minutes on a quarterly basis, and add additional training for employees in more at-risk departments. In many cases, security awareness training is a passive exercise, involving watching multiple videos and answering questions. Making these exercises dynamic would help with engagement and retention of the information.

"It's important to take advantage of that sort of open mind that you have when people are new and starting at an organization. They're kind of drinking from a firehose, learning everything new about the organization," Plaggemier says. "I know a lot of individuals who run training awareness programs who use live [tools], like a Zoom, or even in-person sessions with all new hires just to drive home how important, what a priority it is, for the organization."

Reach Out to Users Directly

Echoing Plaggemier’s sentiment, Jason Nurse, associate professor and senior lecturer in cybersecurity at the University of Kent, says companies typically approach cybersecurity training as yet another compliance task to complete. Another way to get the cybersecurity training to stick is to send phishing emails to see how employees react or to alert employees before they share sensitive information via an insecure channel, Nurse says.

"Imagine if someone didn't click a phishing email or someone reported a phishing email. Well, why not ping that person afterward to say, 'Hey, really good job reporting that phishing email. I see you didn't click on this phishing email. Really good job,'" Nurse says. "And this is positive reinforcement, sort of going back ... in terms of health psychology.”

Rather than using a one-size-fits-all strategy, tailor your training to suit viewers across generations. For younger viewers, a TikTok-length video on cybersecurity awareness might help them change their behavior or perhaps nudge them on the intra-communications platform Slack, Nurse suggests.

It’s also critical to narrow down your cybersecurity training so as to not overwhelm workers, Plaggemier says. During Cybersecurity Awareness Month in October, the NCA promoted several critical cybersecurity best practices: spotting and reporting phishing; creating unique and complex passwords; using a password manager; updating your technology for security vulnerabilities, including computers and routers; and adopting MFA, she says. Adopting those behaviors could significantly cut into cybercrime, she adds

"I think that's really important, that kind of consistency in the industry, that when we're talking to the public, we're always reiterating the same thing until we get to the point where they've done it because we all have to hear things a million times before we do anything about them," Plaggemier says.