Why gen Z’s lack of IT literacy is a serious business risk

Even though generation Z is the first to have been raised by the internet, its members are relatively poor at cybersecurity. They’re not totally to blame for that, though

Illustration of an absent-minded young person using a mobile phone and a laptop

As the big economies of the West boomed after the second world war, adolescents in those countries, especially the US, gained significant spending power for the first time. This prompted businesses to create a whole new marketing segment for them, putting the term ‘teenager’ into common usage. By the 1970s, the generation gap had come into play: it was no longer about how old you were, but when you were born. Such slicing and dicing has since evolved into a system featuring several age categories, including the silent generation, post-war baby boomers, generation X and millennials. Today’s teenagers and under-25s are known collectively as generation Z, while those born since the early 2010s are classed as gen alpha.

If you type gen Z’s other name, ‘zoomers’, into your favoured internet search engine, you’ll find all sorts of claims about their characteristics, many of which are contradictory. They’re political activists, yet they’re nihilists. They’re into trends such as urban fishing, but they’re also hard-nosed capitalists. Apparently, they can’t stand millennials, punctuation or the US. 

We often talk about cybersecurity from a deep technical perspective, but don’t discuss its societal impact in a non-technical way

Whether such sweeping generalisations could possibly hold true for the world’s 2 billion zoomers is beside the point. The one key factor that unifies them all is that they’re the primordial internet-brained batch, the first that has only ever known life with the net seeping into every pore, for better or for worse. For many, using a smartphone is as natural as drawing breath. They spend half of their waking lives on screen time, according to research published by the Los Angeles Times last year. 

Yet, for all their familiarity with the digital world, significant problems have arisen for zoomers as they’ve entered the workplace and been confronted by antediluvian hardware and software. Reports abound of gen Z’s struggles with (admittedly infuriating) tech such as office printers and spreadsheets. 

A general IT literacy gap may exist, then, but more worrying than a junior employee’s inability to work a scanner is the potential cybersecurity threat this gap presents. A survey conducted last year by the National Cybersecurity Alliance made some surprising findings. It found that, despite their familiarity with the digital economy, 64% of zoomers did not rate cybersecurity as a high priority. They also reported a higher cybercrime victimisation rate than other age groups and were most likely to take phishing bait.

During the depths of the Covid crisis, younger employees also experienced more IT problems than their older colleagues while working remotely. According to a survey by Security magazine, 38% of zoomers were logging four or more tech-related issues a week on average in Q2 2020, compared with only 12% of colleagues aged 45 to 54. They engage in riskier behaviour too: while they understand the need to change passwords regularly, they don’t actually do so, according to the World Economic Forum.

The psychology of cyber literacy

Gen Z’s apparent lack of computer literacy and lax attitude to cybersecurity may spell trouble for everyone. The digital economy has become even more interlinked in nature since the Covid crisis, when millions of people were obliged to live more of their lives on the internet. Critical infrastructure, private health records, our personal data – it’s all online. The recent upsurge in supply chain attacks shows that criminals need find only one defensive weak link to cause widespread damage. Consider a hospital to which an employee accidentally introduces ransomware, effectively shutting down its vital systems – literally a matter of life and death.

All this seems a little mystifying, given that gen Z has widely been touted as the most IT-savvy generation. But the ‘digital native’ badge is possibly an unhelpful one, according to Dr Elinor Carmi, lecturer in data politics and social justice at City, University of London. She observes that, while people are indeed becoming acquainted with online tech at a younger and younger age, the range of applications they’re using is actually quite limited. 

If you have an individual who doesn’t care much about their own data, what attention are they going to pay to their organisation’s data?

“When I ask my students what they mean when they say they’re online, 99% say they mean they’re using TikTok,” Carmi reports. “If you’re experiencing only one thing, that limits how you understand different types of options and what’s available to you.”

Researchers at Royal Holloway, University of London, are studying the disconnect between zoomers’ comfort with digital tech and their risky behaviour online. Some of the answers might lie in human biology, suggests Professor Dawn Watling, director of the college’s social development lab. 

The prefrontal cortex, which helps us to make rational decisions and exercise cognitive control, is one of the last parts of the brain to mature, she says. By contrast, the limbic system, which contains areas of the brain involved in reward and reinforcement – develops much sooner, so it may be more natural for younger people to throw caution to the wind and open a dodgy email promising a huge cash windfall. 

At the same time, zoomers may have developed a sense of complacency that they’re less likely than older people to become victims of cybercrime simply because they’ve grown up with digital tech.

“On top of this overconfidence, there’s been a lack of understanding about the consequences,” says Watling’s colleague, Dr Konstantinos Mersinas, director of Royal Holloway’s distance learning programme in information security. “They might say: ‘OK, maybe my phone is hacked, but I’ll survive.’ Such an attitude is related to risk-seeking behaviour. If you have an individual who doesn’t care much about their own data, what attention are they are going to pay to their organisation’s data?”

Cybersecurity’s image problem

Yet apathy is not the predominant attitude that Lisa Plaggemier, executive director of the National Cybersecurity Alliance, has detected during her conversations with zoomers. Rather, it’s a prevailing sense of nihilism tied to their perceived lack of agency. 

Contrary to what many people might think, zoomers are mistrustful of the tech industry, according to research by marketing agency FleishmanHillard in 2020, yet many feel powerless against the might of big tech. Having grown up with the internet and learnt of many high-profile data breaches, they feel that “the horse is out of the barn and there’s not a lot they can do”, Plaggemier says. That’s not actually true, she adds, but cybersecurity has such an image problem that the effective defensive measures people could actually take are often ignored. 

When I ask my students what they mean when they say they’re online, 99% say they mean they’re using TikTok

If this situation persists, the cyber literacy gap is likely to become a chasm, where highly technical criminals target their constantly online victims – something that’s already happening to a degree and becoming easier than ever for attackers.

A big problem here is the perception that effective cyber hygiene is an onerous chore. This needs to be tackled socially, starting at school, according to Mark Brown, MD for digital trust at the British Standards Institution (BSI). 

“We often talk about cybersecurity from a deep technical perspective, but what we haven’t discussed is its societal impact in a non-technical way,” he says. “When we use solely technical terms, that puts people off. Our messaging has to change: we must cover the reality of personal outcomes and include real-life examples.”

Critical thinking is the foundation of cyber literacy

Carmi suggests that one way to prepare young people better could be for schools to focus more on teaching critical thinking skills. She notes that, while data literacy is mentioned in the ongoing saga that is the UK’s online safety bill, regulators are understandably reluctant to take ownership of that project. 

“It’s not something you can do really quickly, but governments prefer to think about the moment rather than the future,” Carmi says. “We need a future thinking programme for different demographic groups, who haven’t learnt this in schools and universities. It needs to provide ongoing support, because things learnt five years ago may not be relevant today. But some factors are never going to change – teaching people how to cross-check sources is will still be relevant in 10 years’ time, for instance. Core skills such as assessing whether websites (or people) are legitimate or not are important.”

How to build a culture that values cybersecurity

There are signs that some of tech’s biggest players are starting to position factors such as data privacy as a competitive differentiator. Apple’s recent ad featuring US comedian Jane Lynch, for instance, may go some way towards addressing security’s image problem. 

More could be done, though. If Plaggemier had one wish, it would be for businesses to use multi-factor authentication as the default, providing a massive security boost overnight. 

But finding a solution to the problem won’t be simple. It will require a concerted effort from government and the tech industry to communicate in clear terms why security is important. They must collaborate to explain the benefits of good cyber hygiene and provide ongoing support for users of all ages, taking into account not only the technology but the psychology too. 

Clearly, this issue cannot be attributed to some inherent generational difference. There’s strong evidence to suggest that the rest of us have let a generational cyber literacy gap widen too far. Where governments have run awareness campaigns, these have changed people’s views and habits. Take the UAE, for example. One of the world’s most digitally advanced economies has bucked the trend with a targeted public education programme and made cybersecurity a key concern among younger people.

Traditional training will not work in this context and neither will sanctions, according to Watling and Mersinas at Royal Holloway. 

“If it’s too disruptive to people’s work, they often seek an alternative way to do what they want to do,” Watling argues. “We think it’s crucial to think about cybersecurity culture, how we explain things to people and how we support their own buy-in. It’s important for training to happen, but we need to think more generally about what kind of cybersecurity culture we have.”