Gen Z – A New Threat to Information Security?

Every 15-25 years a new ‘generation’ enters the workplace, each with different social values, characteristics and personality types. Each generation has well-documented impacts on society, culture, business and on the wider world. With privacy, information and cybersecurity playing a crucial role in society now, should security professionals care about new generational demographics’ impact on business? Do organisations do enough to effectively manage these different generations when it comes to information security?

Banding individuals into ‘generations’ helps society categorise people born and raised around the same time. There are caveats though – generation categorisation isn’t an exact science; it’s not a box-ticking exercise where every single person in an age group or demographic perfectly slots into a group, but the laws of averages mean that there are high-level similarities between individuals banded together in these generations…

Historically, marketers, branding experts and politicians have analysed the trends and preferences exhibited by individuals that loosely fall into these age brackets, to effectively strategize and target their personality traits with adverts and other campaigns. However, do individuals that fall into different bandings exhibit different behaviours regarding information security?

By understanding the differences identified in other industries, organisations can draw conclusions for generational perceptions and values regarding information security. One of the emerging security risks that organisations will have to prepare for is the impending introduction of the next generation: Gen Z.

Before deep-diving into all-things Gen Z, it is important to identify the five high-level generations:

• ‘The Greatest Generation’: those born between 1900-1920. Many of the people born in this time either lived through the hardships of the Great Depression or fought in World War II. Their parents are the ‘Lost generation’, those who came of age during World War I, and are preceded by the ‘Silent Generation’. This generation had minimal exposure to information technology.
• ‘The Silent Generation’: those born between 1920 and 1945 and grew up while older generations were fighting wars. The term ‘silent’ was coined as the majority of people tiptoed cautiously in a post-crisis social order that nobody wanted to disturb. Information technology came very late in their lives.
• ‘Baby Boomers’: those that were born post-World War II in 1946-59, when birth rates across the world spiked. The explosion of babies became known as the ‘baby boom.’
• ‘Gen X’: those born between 1960-79. Some commentators refer to Gen X has the generational ‘forgotten middle child’, with many growing up watching the Berlin Wall fall, Communism disintegrate and an end to Apartheid in South Africa, all against the backdrop of societal disillusionment and counter cultures impacting society. Gen X and Baby Boomers would have been exposed to many technological changes such as the introduction of mobile phones and the Internet.
• ‘Gen Y (Millennial)’: those born between 1980-94. This cohort largely came of age at the outset of a global financial crisis, but also amid a vast acceleration in digital technology. Gen Y was also the first to be introduced to social media platforms that drastically expanded throughout their early life.
• ‘Gen Z’: Are the newest generation and are born between 1995-2010. Generation Z are digital natives, meaning they have never known life without information or mobile technologies and social media. They have either just joined or are about to join the workplace.

Generation Z – A new risk to information security?

Millennials have, in recent years, received a lot of attention from sociologists, political commentators and marketers because they are becoming a prime consumer, voter and make up a large proportion of the working demographic for many nations. The next generation, however, who will be soon entering the workplace, is Generation Z. As global connectivity soars, generational shifts could play a more important role in the workplace, also having implications for security and privacy. Gen Z’s impact on the workplace will be profound, and information security needs to scenario plan and update security awareness for their impending introduction.

Generation Z exhibit a number of similar characteristics that, if extrapolated, may have far-reaching information security implications. Gen Zers are almost exclusively mobile, with their personal devices reflecting their ‘always-connected lifestyle’. According to Education Technology insights, Gen Zers in their interview pool ‘expect to use their owned and self-managed devices in [their new roles when they enter] the workplace.’ According to Data Solutions, 42% of Gen Z office workers also admitted to losing a device that was linked to a work email account.

This oncoming perception that a BYOD culture is the norm is likely to be very disruptive to traditional cybersecurity models and practices. Prohibiting the use of personal devices will likely frustrate Gen Zers too. Moreover, ‘rules-based security training’ is particularly ineffective with Gen Zers, as they perceive these security awareness training as parental lectures and despise them. This highlights the growing need to address security awareness for their oncoming demographic.

According to McKinsey’s ‘True Gen Z’ paper, Gen Zers are ‘communaholics’, owing to the fact that many of this generation grew up entrenched in social media and mobile platforms. They use Twitter, Instagram and Snapchat between 6-8 hours a day, guided by ‘influencers’ and post almost continuous updates of their daily lives. Gen Zers are also ‘radically inclusive’, and they do not distinguish between friends they meet online and friends in the physical world.

Both observations may have security implications. Will attackers begin targeting Gen Zers on their social media platforms in order to get to the companies they work for? Will they start playing the long game, aiming to socially engineer Gen Zers via social media? Or will the fact that Gen Zers post everything about their lives on social media lead them to accidentally sharing company data online? All three questions are plausible, and certainly, something that organisations should consider.

According to Google’s Chrome Security team, 78% of individuals aged between 16-24 (Gen Zers) admitted to using one password for multiple accounts. By contrast, only 60% of baby boomers admitted to password reuse. Interestingly, 70% of the 16-24 year olds said they wouldn’t fall for a phishing scam… but only 44% of them actually knew what a phishing scam was!

Does this indicate that Gen Zers value speed and ease over security? Do they value security less than other generations? These are both questions that are currently unanswered.

Is your organisation planning for the entrance of Generation Z into the workplace? Do you consider them a threat to the organisation?