Hook Younger Users With Cybersecurity Education Designed for Them

10 months ago 37
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

a person standing in the front of the room with a whiteboard and people sitting at their desks listening

Source: Andrey Popov via Adobe Stock Photo

Though Baby Boomers have garnered a reputation for being less digitally savvy than those from later generations, recent research suggests that younger does not necessarily translate to being better at cybersecurity.

Millennial and Gen Z internet users more frequently engage  in poor cybersecurity practices and risky behavior — such as password reuse, not enabling multifactor authentication, and not securing their payments information — making them vulnerable to cyberattacks. It's not that younger Internet users haven't been taught online safety, but rather that the training didn't stick. Organizations must tailor their cybersecurity education programs to fit audiences across demographics, run training sessions more frequently, and promote awareness throughout the year to ensure these security messages aren't being forgotten or ignored.

According to a Yubico and OnePoll survey of 2,000 U.S. and U.K. consumers released in October, one in five Baby Boomers reuse their passwords, but nearly half (47%) of millennials said they reuse their passwords. The survey also found less than a fifth (19%) of boomers save their credit card information within their online accounts, a lower proportion than the 37% of millennials who do so. Nearly half (47%) of boomers said they don't use multi-factor authentication, don't know what it is or aren't sure if they have it turned on, and 52% of millennials said the same, OnePoll found.

Younger users’ failure to create different passwords across their digital accounts creates an opening for malware to infect their devices to steal their personal information, infect their devices with ransomware or cause other disruptions, says Andrew Newman, founder and CTO at ReasonLabs. Password reuse also enables cybercriminals to break into systems via credential stuffing, he says,. Cybercriminals are also increasingly using phishing kits adept at tricking victims into handing over tokens used with multifactor authentication and other credentials.

Time to Customize Security Education

Another October survey of more than 6,000 people in the U.S., the U.K., Canada, Germany, France and New Zealand by the National Cybersecurity Alliance found that half of millennials and 56% of Gen Z respondents have access to cyber security training. By contrast, only 20% of the Silent Generation and 15% of Baby Boomers have access to cybersecurity training. However, less than half of Gen Z (43%) and 36% of millennials said they had been victims of cybercrimes.

If millennial and Gen Z internet users are more likely to get cybersecurity awareness training than older users and yet are still vulnerable to cyberattacks, what will it take to urge younger users to take cybersecurity precautions? One answer to that question may be tailoring cybersecurity education programs specifically for younger audiences, says Lisa Plaggemier, executive director at the National Cybersecurity Alliance.

Cybersecurity training programs typically involves instilling fear, usually with a picture of a hacker in a hoodie and cautionary tales of cyberattacks. That approach may not resonate with users, but in many cases, the organization does not have the option to craft alternative captivating content, Plaggemier says. This is where the organization has to cast a wider net looking for different types of training materials or be creative developing content themselves.

One such alternative is the National Cybersecurity Alliance's video series aimed at younger viewers titled “Kubikle,” a workplace comedy featuring cybercriminals of various nationalities who work to defraud victims. Plaggemier says the goal of the series is to capture younger people’s attention by pushing the envelope.

Beyond creating comedic content, Plaggemier encourages companies to train new hires during their onboarding, continue that training for at least ten minutes on a quarterly basis and add additional training for employees in more at-risk departments. In many cases, security awareness training is a passive exercise, as it involves watching multiple videos and answering questions. Making these exercises dynamic would help with engagement and retention of the information.

“It's important to take advantage of that sort of open mind that you have when people are new and starting at an organization. They're kind of drinking from a firehose, learning everything new about the organization,” Plaggemier says. “I know a lot of individuals who run training awareness programs who use live [tools] like a Zoom or even in-person session with all new hires just to drive home how important, what a priority it is for the organization.”

Reach Out to Users Direclty

Echoing Plaggemier’s sentiment, Jason Nurse, associate professor and senior lecturer in cybersecurity at the University of Kent, says companies typically approach cybersecurity training as yet another compliance task to complete. Another way to get the cybersecurity training to stick is to send phishing emails to see how they react or alert employees before they share sensitive information via an insecure channel, Nurse says.

“Imagine if someone didn't click a phishing email or someone reported a phishing email. Well, why not ping that person afterwards to say, ‘Hey, really good job reporting that phishing email. I see you didn't click on this phishing email. Really good job,’” Nurse says. “And this is positive reinforcement, and this is sort of going back to what it was mentioning initially in terms of health psychology.”

Rather than using a one-size-fits-all strategy, tailor your training to suit viewers across generations. For younger viewers, a TikTok-length video on cybersecurity awareness might help them change their behavior or perhaps nudge them on the intra-communications platform Slack, Nurse says.

It’s also critical to narrow down your cybersecurity training so as to not overwhelm workers, Plaggemier says. During Cybersecurity Awareness Month in October, the NCA promoted several critical cybersecurity best practices: spotting and reporting phishing; creating unique and complex passwords; using a password manager; updating your technology for security vulnerabilities, including computers and routers; and adopting multifactor authentication, she says, adding that adopting those behaviors could significantly cut into cybercrime.

“I think that's really important, that kind of consistency in the industry, that when we're talking to the public, we're always reiterating the same thing until we get to the point where they've done it because we all have to hear things a million times before we do anything about them,” Plaggemier says.

Read Entire Article