Younger employees in companies in particular are often more careless when dealing with passwords or phishing links. A study reveals hidden dangers in corporate security.
In a recent study, Ivanti took a closer look at the risk exposure of companies worldwide - from risky employee behavior to inconsistencies in safety culture. The study shows that standardized corporate security imposed from above tends to ignore specific risks. These go hand in hand with demographics, gender and function in the company, among other things. A key finding of the study: One in three employees is of the opinion that their actions have no influence on company security. Younger employees in particular display a worrying lack of concern.
Password Hygiene & Malicious Links
Many companies assume that older workers are less tech-savvy and therefore more likely to engage in risky behavior. In reality, the opposite is true. Younger professionals (under 40) are significantly more likely to ignore basic cybersecurity guidelines than Generation X and older. This applies to password hygiene, dealing with phishing links, and sharing devices with family and friends:
- For example, while 38 percent of those under 40 use the same passwords on multiple devices, this is only 28 percent of the older workforce.
- A date of birth can be found in the passwords of 34 percent of younger employees, while this is significantly less common among the older generation (19%).
- One in three younger employees shares their digital work devices with friends or family members. Among the older workforce, this figure drops to just one in five.
- 13 percent of office workers under the age of 40 click on a phishing link when specifically pointed out to them. For older people, this figure is a good 8 percent.
Younger employees are less likely to report dangers
So stereotypes about age-related technical knowledge can mislead companies. And the problem is not just related to cyber hygiene. The study also shows that younger professionals are less willing to report hazards. Of workers under 40, 23 percent said they did not report the last phishing email they received. For comparison: among those over 40, only 12 percent had not made a report. The most common reason for the behavior: “I didn’t realize this was important.”
“The assumption that younger employees are more security-conscious and tech-savvy is outdated and even dangerous. “Companies should test these assumptions by conducting internal research that assesses their own employees’ attitudes toward security risks and their role in addressing them,” said Daniel Spicer, Chief Security Officer at Ivanti.
Be afraid of the SecOps teams
To ensure the security of an organization, information about security incidents or breaches must be available in near real time. However, the study shows that certain segments of the workforce are reluctant to report hazards - a fact that must be taken into account when developing information and training programs:
Seniority: The biggest variable in incident reporting is seniority. Seventy-two percent of executives surveyed said they had contacted a cybersecurity employee with a question or concern, compared to just 28 percent of office workers.
Gender: Women are less likely to report incidents than men. 28 percent have contacted a cybersecurity employee with a question or concern, compared to 36 percent of men.
All employees are important to cybersecurity
There are also differences in cybersecurity training and attitudes across countries: 43 percent of respondents in France say their companies do not offer mandatory cybersecurity training. At just 22 percent, German companies are very well positioned in this regard.
“Employees don’t always understand that they are valuable members of the extended security team, even when companies try to train and educate them,” adds Daniel Spicer. “Security leaders must empower all employees to defend themselves against threat actors and proactively build an open and approachable security culture.”
Many companies take a top-down approach to training and company-wide safety culture. However, the study shows that a cooperative and positive safety culture is much more effective. Insufficiently trained employees and cyber laissez-faire weaken the security posture of the company as a whole. Companies must therefore design their technical stack in such a way that friction for the end user remains as low as possible.
About the Study
Ivanti surveyed over 4 executives, cybersecurity professionals and office workers in Q2022 6.500 - 650 of them from Germany. (Office workers ≤40 years: 3.609, office workers >40 years: 2.769)
Go directly to the study on Ivanti.com
About Ivanti The strength of unified IT. Ivanti connects IT with security operations in the company in order to better control and secure the digital workplace. We identify IT assets on PCs, mobile devices, virtualized infrastructures or in the data center - regardless of whether they are hidden on-premise or in the cloud. Ivanti improves the provision of IT services and reduces risks in the company on the basis of specialist knowledge and automated processes. By using modern technologies in the warehouse and across the entire supply chain, Ivanti helps companies improve their ability to deliver - without changing the backend systems.