Business leaders may need to rethink how they offer cybersecurity awareness training to younger employees, after a report from PwC suggested that Millennials and Gen Zers are most likely to flout IT policies that they feel are over-restrictive.

The latest PwC Workforce Pulse Survey found that employees between the ages of 18 and 39 could be exposing their organisations to greater cybersecurity risks because of their own attitudes toward technology and how they felt about their employers’ cybersecurity polices.

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

In particular, the survey revealed that 41% of 18-39 year-olds felt it was “burdensome and restrictive” to comply with all of their employer’s security guidelines, with 60% of Millennials (ages 24-39) and 61% of Gen Zers (ages 18-23) feeling they should be allowed to take more risks if it meant greater ease of use.

In practice, this meant younger employers were more likely than their older peers to use technology that has been banned by their bosses: 44% of Millennials admitted to using their work devices to access apps and other software than had been expressly prohibited by their employer, compared to 45% of Gen Zers and 37% of respondents in other age groups.

While some might be quick to moan about the youth of today, PwC suggests that the findings indicate a wider cultural issue around how companies structure workplace cybersecurity training, compounded with the many issues that employees currently face while working from home.

“Employees want the same fast, convenient, frictionless tech experience they have in their personal lives to happen at work,” said the report.

“The user experience of enterprise technology isn’t always as seamless as it could be. And with so many people working from home, the need for reliable, user-friendly apps and programs that enable collaboration, creativity and communication has never been higher.”

While IT leaders said they have upped the volume of cybersecurity training and increased investment in technical solutions, employees themselves seem to be less aware of the steps their organisation is taking to safeguard them. For example, nearly 70% of CISOs and CIOs surveyed by PwC said they had increased security training as a result of COVID-19; yet only 30% of employees said their employer offered training on the dos and don’ts of protecting company assets and data.

Similarly, less than a third of respondents said their employer had provided dedicated devices for doing work at home, and only 23% said their company had “provided a compelling case for why employees need to have good data security habits.”

PwC pointed out that much of businesses’ cybersecurity activities happen behind the scenes, meaning employees may not always be aware of the efforts being taken to protect them on a day-to-day basis. However, the report suggested that “the lack of awareness around more visible tactics,” such as additional training, indicated that “efforts leaders are making to help increase their employees’ cyber acumen simply aren’t resonating.”

SEE: SSL certificate best practices policy (TechRepublic Premium)

Another problem businesses face is grappling with the stigma of flagging cyber security incidents when they occur. Only 26% of respondents to PwC’s survey said they could escalate a security incident they may have caused without fear of reprisal from their boss. This suggests that data breaches and other cybersecurity incidents are not being reported as soon as they occur, potentially leaving company systems exposed for longer and increasing the severity of the breach.

“It’s important to reinforce the message that it’s okay to elevate a security risk,” the report said.

“Consider implementing a zero-tolerance policy on retribution or creating a channel for people to report security risks anonymously. The more willing people are to report a risk, the faster you can identify and contain the fallout.”

Bringing about the necessary culture change to improve workplace cybersecurity means changing the messaging and communication with employees, as well as providing incentives that offer them career development, PwC concluded.

This could include awarding certifications or badges to cybersecurity “ambassadors” that can be recognised in the talent market, as well as introducing incentives and rewards for good cybersecurity habits. At the same time, businesses should amend security policies so that they reflect employees’ personal concerns, rather than focusing on implications for the company, PwC said.

On the technology side, employers should pay more attention to the user experience when choosing technology and designing policies, and ask employees to offer their input.