A majority (83%) of US employees understand their employer's cybersecurity protocols, but Gen Z and millennial workers – digital natives who make up a significant portion of the workforce – are least likely to prioritize or adhere to them, according to new data released by Ernst & Young LLP (EY US).

The 2022 EY Human Risk in Cybersecurity Survey asked 1,000 employed Americans about their cybersecurity awareness and practices. Below are the findings:

Three-quarters (76%) of workers across generations consider themselves knowledgeable about cybersecurity, but younger generations― who grew up online and have lived with cyber risks the majority of their lives― are significantly more likely to disregard mandatory IT updates for as long as possible (58% for Gen Z and 42% for millennials vs. 31% for Gen X and 15% for baby boomers);
Younger generations are more likely to use the same password for a professional account and personal account (30% for Gen Z and 31% for millennials vs. 22% for Gen X and 15% for baby boomers);
Finally, younger generations are more likely to accept web browser cookies on their work-issued devices all the time or often (48% for Gen Z and 43% for millennials vs. 31% for Gen X and 18% for baby boomers).
"This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual," said Tapan Shah, EY Americas Consulting Cybersecurity Leader. "There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise."

Looking ahead: building a proactive cybersecurity culture
Cybersecurity risks are on the rise as remote and hybrid working environments create an expanded attack surface for hackers and more state-backed actors, and human risk in particular is growing as younger digital natives, who spent most of their lives embracing technology, enter the workforce. US cyber incidents led to at least $7 billion in potential losses in 2021 alone, according to the Federal Bureau of Investigation.

Most of the employee respondents (84%) feel prepared to avoid cybersecurity mistakes at work, but only one-third (35%) feel very prepared. In fact, half or fewer of the employees say they are very confident about how to follow specific cybersecurity practices at work, such as using strong passwords at work (50%); keeping their work devices up to date with cyber protection (43%); identifying phishing attempts (41%); avoiding ransomware (38%); and encrypting their data (32%).

Role- and risk-based education can help improve cyber-safe practices. Respondents who received role-relevant cybersecurity training in the past year were significantly more likely to implement cyber-safe practices at work – including using strong passwords, keeping cyber protection software current on devices, identifying phishing attempts, avoiding ransomware and encrypting data – than employees who had not had any education for more than a year.

"Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk," Shah said. "Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives."