I am 68 years old. I passed my first bar in 1978. My first office computer ran CP/M as an operating system, and my first personal computer was an Apple II Plus. In contrast, my children, both in their early 30s, were playing with computers before they could read. Who is better at cybersecurity?
Well, of course, I am. Actually, the prize goes to those senior partners age 46 to 60. I am better at it because it is what I do for a living. But the employees with the worst cybersecurity practices are those under 30. In a recent global study, those under 30 averaged a score of 2.3 in terms of cybersecurity good practice, compared with 2.9 for 30-45 year-olds and 3.0 for 46-60 year-olds. My group, those over 60, were pretty hopeless with an average of 2.1.
The takeaway is that these different groups will require different types of training. This is important because the easiest way for cybercriminals to get into your networks is through you or your employees. A saying in cybersecurity circles is “Professionals hack people; amateurs hack technology.” This is true simply because it is easier and far more successful, especially in a COVID world with vulnerable telecommuters.
It is not just an age gap. There is a country gap. Under 30s in France and Brazil are leaders in cybersecurity good practice in their countries. In France, the reason is that they get them while they are young. A government program helps raise cyber awareness in children and students. In Brazil, the country adopted the technologies later, so the younger generation has more experience. In countries like the US and the UK, older employees have far more experience and as a result, have more distrust.
Speaking from my own experience, I have watched as the technologies evolved over the past 40 years. I have a healthy skepticism as to claims that things actually work. The other problem is the speed at which technology evolves. When I received my highest certification (Advance Security Practitioner), it was all about “on-prem” networks in actual appliances. Now everything has migrated to the cloud in a virtual environment.
Part of the difference between me and my younger colleagues is that they have grown up using and working with technologies that for the most part actually do work. They assume that as long as the IT department is doing its job, the machines they work with will protect them. They also believe that cybersecurity is not theirs, it belongs to the IT department. Their only concern is to figure out a more imaginative and more productive way to use the technology.
A good example is the recent use of teleconferencing technology Zoom. Here was this great technology that allowed for large, easy-to-access online meetings. A cloud-based peer-to-peer software platform that is used for teleconferencing, telecommuting, distance education, and social relations. Could anything be cooler?
The free program allowed you to meet with over 100 participants, twice what dull old Microsoft’s Skype will allow. Zoom has individual meeting URLs, breakout sessions for dividing participants into groups, virtual hand raising, and best of all, virtual backgrounds!
The company also houses most of its operations in China. As such, it is subject to the Chinese counterterrorism law, and all of its encryption keys must be shared with the Chinese military. In addition, all encryption capabilities developed in China must use Chinese-provided cryptographic roots.
In addition, Zoom’s meeting IDs and passwords are vulnerable at many levels. An example occurred recently when the UK’s Prime Minister, Boris Johnson, shared a picture of a Cabinet Zoom meeting to Twitter, which included the ID number and names of participants.
To address these issues, it is necessary to develop training materials that address the needs, prejudices, and predilections of various age groups. Cybersecurity is everyone’s problem. There are ways, like gamification, that can work, but they must be implemented throughout the organization. If cybersecurity is thought to be tech’s problem with a tech solution, your firm’s problems are just beginning.
About the Author
William Gamble is an attorney and consultant with IT Governance USA. He holds multiple IT certifications and has been published in journals around the world.