Are Your Youngest Employees Your Biggest Security Risk?

Picture the typical victim of a cybersecurity scam… what popped into your head? If you’re like most people, you probably pictured someone older, someone less familiar with technology. Someone who didn’t grow up immersed in the internet, who’s perhaps a bit too trusting of a pop-up window or a suspicious email. It’s a comfortable stereotype.

The data, however, suggests that it may also be wrong. Gen Z appears to be more susceptible than you’d expect. 

A 2023 Deloitte survey was the first to find that kids these days may not be as savvy as we think. Recent CyberArk research surfaced by Dark Reading found that Gen Z–the digital natives who grew up with smartphones in hand–are twice as likely to fall for online scams as Boomers. Similar results by NordVPN suggest it may flag a growing trend.

This isn’t about blaming a generation–Gen Z has been unfairly blamed for enough cultural uncertainty in the last few years. Rather, it’s about understanding the workflows of the younger generation, and adjusting defenses accordingly.

A digital footprint from birth

For older generations, the concept of IT-sanctioned software and devices was an accepted norm: you just use what the company gives you. Millennials were coming of age when “there’s an app for that” entered the popular parlance, but it wasn’t second nature yet.

But Gen Z has grown up surrounded by a mature ecosystem of apps and websites and devices for everything and anything they could possibly think of… and quite a bit more.

Signing up for a new SaaS tool is second nature to many younger workers: a project management app your friend likes, an AI transcription service a podcast said was more accurate, a niche design tool. Using their work email for it likely may not raise the same alarm bells as it would for someone older. There’s nothing nefarious about it: they see it simply as improving productivity, not creating risk.

The result, however, is a potentially vast constellation of unsanctioned accounts and applications, all tied to a corporate identity, but completely outside of IT’s visibility and control. Each of these accounts is a potential liability. A breach of a “free” third-party application can expose employee credentials, which can then be used to attack your core systems. 

The perimeter is an illusion

The traditional boundaries of trusted office networks are long gone–and Gen Z certainly isn’t responsible for that, as they’re even less likely to be working remotely than their Millennial peers. 

But younger workers do tend to operate with more fluidity across devices and networks, blending work and personal life in ways that existing security models simply weren’t built for.

All of these trends give yet more evidence to the unavoidable conclusion that we’ve seen reinforced again and again: the perimeter is no longer the primary battlefield for protecting the cloud office.

Your most sensitive data–the product roadmaps, financial projections, customer lists–doesn’t just live on a secure file server anymore. It lives in your cloud office, being accessed, shared, and integrated in ways your security team often doesn’t have visibility into, let alone control over. 

Toward a resilient workspace

Regardless of the intrusion method–scams targeted at younger workers, token theft, MFA bombing–we can’t solve the problem by writing more policies or running more training sessions alone. Those methods can certainly help, but at the end of the day, humans are going to be human. A shift in strategy is needed.

Guarding against modern threats requires a fundamental shift to focus on gaining visibility and control over what’s inside your cloud office. It starts with asking three questions:

• What is our most sensitive data? You can’t protect what you don’t know you have. The first step is gaining visibility into the sensitive data sitting in your email, documents, and cloud storage.
• Who–and what–has access to that data? This means understanding which accounts have sensitive data sitting in their inboxes and file sharing platforms, but that’s only the start. It also demands understanding the web of third-party apps, service accounts, and sharing links that can also touch that data.
• How can we respond to access changes at machine speed? The goal is to de-risk the entire environment from the inside out. This means creating automated controls that can, for example, require an MFA step-up in order to access a financial report sitting in an inbox, or alert your security team when an employee uses a work account to sign up for an unsanctioned application.

These are precisely the questions Material was built to answer. Material delivers the visibility and control needed to protect your cloud workspace against threats coming from the outside in, while securing the files and accounts from the inside out. 

By analyzing the data within your Google Workspace or Microsoft 365 environment, Material helps you identify and secure your most sensitive threats, tame third-party app risk, and apply the principle of least privilege at scale.

The Gen Z statistic isn’t a fluke: it's a sign of what’s to come. It’s time to build a security architecture that’s ready for it. 

‍