Technology   //   June 3, 2024

Gen Z, millennials are ‘weak link’ as AI fuels new cyberattack workplace threats

New research from EY reveals a growing cybersecurity anxiety among U.S. employees, with younger generations particularly vulnerable to sophisticated AI-powered attacks. 

Experts emphasize the need for engaging and tailored training programs and a culture of cyber awareness to combat evolving threats.

A survey of 1,000 workers in the U.S. by EY paints an alarming picture of the cybersecurity landscape. More than half (53%) of employees fear their organization will be targeted by cybercriminals, with about one-third (34%) worried their own actions could be the weak link. This anxiety is particularly acute among Gen Z and millennials, who feel less equipped to navigate the increasingly complex world of cyber threats compared to their older counterparts.

“The risk landscape has become incredibly complex,” says Jim Guinn II, EY Americas Cybersecurity leader. “Geopolitical tensions, constantly evolving regulations, and the rapid integration of new technologies, especially AI, all contribute to this challenge.” The study found that 85% of employees believe AI has made cyberattacks more sophisticated, with 78% expressing concerns about its use in malicious activities.

The EY survey highlights a stark generational divide in cybersecurity preparedness. Gen Z, despite being digital natives, are losing confidence in their ability to identify phishing attempts, one of the most common cyberattack tactics. Only 31% feel very confident in spotting these threats, a significant drop from 40% in 2022. This vulnerability is further emphasized by the fact that 72% admit to clicking on suspicious links at work, a figure significantly higher than other generations.

This lack of awareness translates into heightened anxiety. Nearly two-thirds of Gen Z and millennial employees fear losing their jobs if they were to compromise their organization’s security. This apprehension is compounded by a lack of clarity regarding reporting protocols for suspected cyberattacks, with younger generations significantly less likely to understand their company’s procedures.

Despite these concerns, the data provides a silver lining. Gen Z, while less confident in their abilities, are increasingly knowledgeable about cybersecurity. This presents a crucial opportunity for organizations to invest in upskilling and training programs tailored to their experiences as digital natives.

"Creating a game out of cybersecurity awareness, with incentives like team lunches or extra time off, can significantly increase engagement and knowledge retention."
Jim Guinn II, EY Americas Cybersecurity leader.

“Cybersecurity training can’t be a one-size-fits-all approach,” explains Guinn. He advocates for gamified training programs that leverage the competitive spirit of employees, particularly younger generations. “Creating a game out of cybersecurity awareness, with incentives like team lunches or extra time off, can significantly increase engagement and knowledge retention.”

Beyond engaging training programs, experts stress the importance of fostering a culture of cyber awareness within organizations. 

“When security practices are embedded in the company culture, employees are more likely to prioritize security in their daily activities and proactively report potential incidents,” said Dan Mellen, EY Americas consulting cybersecurity chief technology officer.

To achieve this, EY recommends a multifaceted approach that also includes partnership over policing, or fostering a “see something, say something” culture, where employees feel comfortable reporting potential threats without fear of repercussions. In addition, it suggests leadership by example, where senior leaders demonstrate responsible AI practices and promote transparency around its development and deployment within the organization.

St. Petersburg, Florida-based cybersecurity expert and analyst Michael Hess offers several tools employers can use to get their people up to speed when it comes to cybersecurity preparedness: 

Adaptive learning platforms

Employers can use AI-powered adaptive learning solutions to customize cybersecurity training for every worker. These platforms evaluate the knowledge and behavior patterns of an employee, then customize the training material based on those findings. One employee might get advanced training on new dangers if they continually demonstrate a great grasp of phishing attempts, while another employee who exhibits vulnerabilities in recognizing fraudulent emails might receive more basic, repetitive drills. This guarantees that every employee, irrespective of their initial proficiency level, is suitably equipped to manage cyber dangers.

Real-time phishing simulations

Conventional phishing training often involves prearranged, recurring simulations. To effectively train employees for real-world situations, real-time phishing simulations that are different and unplanned should be included. To enhance the realism and efficacy of the training, AI algorithms that imitate contemporary phishing patterns can initiate these simulations. Employees are given prompt feedback and instructions on how to identify and counteract these risks, which greatly enhances their capacity to deal with real phishing efforts.

Behavioral analytics integration

Using behavioral analytics can help in spotting odd employee behavior that might point to possible cybersecurity threats. Real-time flagging of departures from standard employee behavior patterns is possible with machine learning algorithms. The system can notify security teams for prompt action, for example, if an employee who usually logs in from a certain place suddenly logs in from another nation, or if an unexpected amount of data is being accessed or moved. This proactive strategy teaches staff members about safe behavior and the value of adhering to protocols in addition to aiding in early identification.

In a rapidly evolving digital landscape, prioritizing cybersecurity has become increasingly urgent on the part of employers. By embracing proactive training, fostering a culture of awareness and adapting strategies to address the unique vulnerabilities of different generations, experts agree, organizations can empower employees to become the first line of defense against increasingly sophisticated cyber threats.