Employees who grew up using digital technology who are now entering the workforce take cybersecurity more seriously on their personal devices rather than work devices, according to a new Ernst & Young survey. (Photo by George Frey/Getty Images)

Millennial and Gen Z employees are more relaxed when it comes to cybersecurity on their work devices than their personal devices, according to a new survey from Ernst & Young Consulting.

While a large majority of U.S. employees (83%) understand the cybersecurity protocols for their jobs, the digital natives of Gen Z and millennials who make up a significant portion of the workforce are less likely to prioritize and adhere to them, according to Ernst & Young LLP.

Nearly half of Gen Z employees (48%) and 39% of millennial employees admitted to taking cybersecurity protections on their personal devices more seriously than their work devices, putting their employers at risk, according to the 2022 EY Human Risk in Cybersecurity Survey released Tuesday.

But that’s not the only example where younger employees differ from their older peers when it comes to cybersecurity and their work devices.

Gen Z and millennials are also more likely to disregard mandatory IT updates for as long as possible compared with their Gen X and baby boomer counterparts (58% for Gen Z; 42% for millennials vs. 31% for Gen X; 15% for baby boomers).

Younger generations are also more likely to use the same password for a professional account and for a personal account (30% for Gen Z; 31% for millennials vs. 22% for Gen. X; 18% for baby boomers). 

Gen Z and millennials are also more likely to accept web browser cookies on their work-issued devices all the time or often (48% for Gen Z; 43% for millennials vs. 31% for Gen X; 18% for baby boomers).

"This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual," said Tapan Shah, EY Americas Consulting Cybersecurity Leader, in a news release. "There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise."

As noted in the release, role- and risk-based education can help improve safe practices, such as using strong passwords, keeping software up to date, and identifying phishing attempts. 

"Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk," Shah said. "Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives."