Raising Security Awareness for Millennials in the Workplace
Millennials are a significant portion of the modern workforce. Those responsible for awareness training initiatives need to know how to build training that speaks to them.
If any of the absurd hand-wringing articles of the last few years about all the things millennials in the workplace have ruined are any indication, safe cybersecurity and data privacy practices might be next on their list.
As the first “digital native” generation, millennials were practically born in front of a computer. A good chunk of your workforce likely comprises those born between 1982 and 1996 (the definition of “millennial,” according to the Pew Research Center.
Though estimates differ depending on where you get your information, millennials are expected to make up 50%-60% of the American workforce by 2025.
Given their “always connected” upbringing, it can be easy to assume they don’t care about data privacy and cybersecurity.
But since information technology is integral to every modern business, millennials in the workplace simply cannot sidestep privacy and security responsibilities.
Nor do they want to.
The Millennial Approach
It’s not that millennials in the workplace disregard these important issues. They just approach them differently than people born before the rise of the internet. In fact, they approach a lot of things differently.
Perhaps more so than other generations, statistics show that millennials in the workplace think collectively and socially. The Case Foundation’s Millennial Impact Report, reflecting a 10-year study of this generation, found that millennials care about social issues (rather than institutions), using their collective voice, and supporting others and the greater good (more than ineffective partisan politicking).
They also have a strong desire for a personalized experience―not surprising since the digital era has gotten everyone pretty used to that.
Given their unique expectations, any successful training initiative on privacy and security directed at this cohort must be delivered in ways that satisfy their preferred working and learning styles.
That means relevant, engaging and varied. Here are some ways to think about awareness training with this generation in mind.
Training Tip #1: Keep it Relevant
While the instinct for security is fundamental to humans, the challenge with those who’ve grown up with the internet is getting them to understand and accept that behaviors they take for granted may come with a great deal of cyber risk.
For example, a 2019 study from DataSolutions found that one in ten millennial office workers in Ireland would keep using a device that was under cyber attack.
The Pew Research Center reports that millennials in the workplace often pay little attention to the potential security vulnerabilities that new technologies and devices pose, or to the risks associated with downloading certain apps or connecting to a public Wifi network without a VPN.
The proliferation of unsecured devices exposes millennials and other digital natives to greater insider threat vulnerabilities. F5 Neworks’ 2018 Curve of Convenience report revealed that 32% of millennials in the workplace across Asia will continue to use an app even when data security is compromised.
These data points are perfect examples of information that could be worked into realistic scenarios and made part of training content to illustrate these risks.
What’s more, because they come from a dynamic environment of continual and extensive online sharing, millennials’ idea of privacy is different from that of older generations. Organizations consequently need creative ways to convince them of privacy’s importance. That includes explaining the bigger picture, making it relatable, and highlighting potential positive and negative impacts to the individual and the organization associated with privacy behaviors.
Make training content relevant by keeping it fresh and role-based. Don’t include content that will bore employees who already know the material. Millennials don’t like wasting their time! Only train on what an employee needs to know so they don’t tune out. Explain the individual’s role in the overall workforce and the impact they can have on the whole company.
Remember to appeal to millennials’ social and cultural ethos. Focus on a learning experience, rather than something punitive where they feel “caught.” Don’t make it stressful. Give second chances and look for improvements.
Training Tip #2: Make it Engaging
Capturing attention at an emotional level will make people want to continue with training.
With many millennials used to quick-hit videos and GIFs, the right amount of interactive content can help keep these learners engaged.
Of course, any format that hits the right note with the audience will work. A well-crafted video is as engaging as an explorative course. Just find a hook that speaks to the audience.
Here’s an example:
Say a training goal is to get employees to follow a correct process that’s often ignored. There are two groups of learners: those over 45 and those under.
Training for those 45 and older needs to reflect the cultural attribute that they don’t like being told they’re doing their jobs incorrectly. They want to be treated with respect and as experts. Effective training would show them how to work faster and smarter, helping them be even better.
Millennials, however, want to be shown how doing their job helps others downstream and positions them for future success. Effective training could include things like gamified or role-play activities, with the point of showing how each employee can make a difference.
Find a training motif that will set the right tone for your millennial learners. Because they grew up with video games, the internet, and big-budget blockbusters with lots of CGI, they can be difficult to impress with media. Don’t push yourself to create something that will be compared to—and likely fall short of—the multimedia standards millennials are used to.
Rather, refine a simple idea that includes some classy or entertaining touches. While that can be subjective, find some baseline that will be fun for your learner population and build from there.
Determine the experience that bests suits the content. As one example, millennials do well when put in a position to help their co-workers. Consider training that simulates a workplace environment where the learner acts as a helper/trainer. Consider activities that are:
- Process-driven and emphasize action
- Emotional, using storytelling or narrative to show how a concept plays out in real-life
- Policy-based, using scenario questions that let the learner see the outcome of following and ignoring policy
Also, remember that millennials value autonomy. Offer these learners a window of time to complete training. Provide non-linear modules so employees can review them when convenient to their schedules. Perhaps let them choose which topics they want to be trained in first.
Microlearning: 4 Signposts to Guide Your Corporate Learning Strategy
Download our free white paper for tips on building microlearning strategies into your employee awareness training program.Download White Paper
Consider a microlearning approach, which includes short training modules that are built-on over time to increase knowledge and retention. This also allows for quickly presenting new information as needed, such as regarding emerging threats.
Keep in mind that at least some long-form training on the basics for each new hire will be needed to get basics out of the way.
Training Tip #3: Vary the Experience
Regardless of generation, some things will connect with some learners but not with others. Varying content within a holistic campaign provides more ways to resonate across learning styles, reinforce learning, and yield better retention of the training content.
Try different types of materials like standard vs. gamified activities or articles vs. videos. Incorporate visuals through things like posters and infographics. As discussed earlier, make some of your training interactive. Mix up formal and informal tone – make it fun!
Try different tactics in your phishing program – for instance, using a shipping notification from Amazon vs. a personal email from the CEO. Vary the bait. Use a professional or urgent tone; prompt them to view a video or download an attachment; include a request for help. As you re-phish, increase the difficulty over time.
Of course, while simulated phishing is a useful technique, it should be combined with, not take the place of, a concerted awareness training initiative.
Words (and Training Techniques) Matter
As you develop your ongoing training program, keep in mind that “millennials” can dislike being labeled with that term, which often evokes unflattering imagery. It can be a useful shorthand but shouldn’t be overused.
Respecting their unique worldview, capabilities, and experience is important to bringing them along on the organizational privacy and security journey.