Intuition suggests that the generation raised in the glow of smartphone screens should be best equipped to avoid online pitfalls. However, the latest data casts a long shadow over this belief, revealing a worrying paradox: it is Generation Z, or digital natives, who are the weakest link in a company’s cyber security chain. A study by Yubico shows that as many as 62% of representatives of this group have interacted with a malicious link or attachment in the past year. This figure is significantly higher than that of the older generations. This alarming indicator is forcing IT leaders to fundamentally revise their security strategy.
Why are digital natives falling through the net?
The problem lies not in a lack of familiarity with technology, but in the nature of that familiarity. Being proficient in navigating the digital world is not the same as being able to recognise risks. There are several reasons for this phenomenon and they paint a complex picture of contemporary risk.
Firstly, overconfidence. Young employees, who have been intuitive with apps and social media since childhood, often believe in their “digital infallibility”. This confidence undermines their vigilance, leading them to disregard basic precautions. They trust their ability to distinguish a fake from an original, not realising that today’s attacks, aided by artificial intelligence, are almost perfect.
Secondly, changing attack vectors. Traditional cyber security training focuses on analysing suspicious emails. Meanwhile, phishing has long since left the inbox. Generation Z operates in an ecosystem of instant messaging (WhatsApp, Messenger), social media (TikTok, Instagram) and SMS. Attacks coming through these channels – in the form of a link to a supposed promotion from an influencer or a fake package notification – are much harder to identify, as they appear in a context that users consider trusted and private.
Thirdly, the culture of immediacy. Social media and modern apps have accustomed us to instant interaction – quick scrolling, liking and clicking. This habit eliminates a moment for reflection. Phishing attacks are designed to exploit this impulse, often playing on emotions or a sense of urgency (FOMO – Fear Of Missing Out), making the user click before they have time to think.
Implications for business: time for a strategy reset
Maintaining existing methods of protection in the face of this phenomenon is like putting out a forest fire with a watering can. Companies need to understand that their youngest employees, who make up an increasing proportion of the workforce, require a completely new approach.
The traditional annual training sessions in the form of PowerPoint presentations have become a relic of the past. They are not only boring but, above all, ineffective because they do not address the real risks that Gen Z faces on a daily basis. Effective education must be continuous, interactive and personalised. This means phishing simulations conducted on instant messaging, video-based micro-training and gamification that engages rather than bores.
However, even the best training will not eliminate the risk of human error. Therefore, the burden of protection must ultimately shift from humans to technology. Relying on employee vigilance in an era of AI-generated attacks is a strategy doomed to failure. This leads to the only valid conclusion: the need to implement a Zero-Trust architecture in which nothing is trusted by default.
From education to reliable authentication
The Generation Z paradox makes it brutally clear that education alone is not enough. Since we cannot fully trust a person’s ability to recognise a fake, we must implement mechanisms that make such attacks ineffective. Passwords, even the most complex ones, are insufficient today. The key to the future of security is phishing-resistant multi-factor authentication (MFA).
Solutions such as hardware security keys make it impossible to log in to a fake site, as verification is done at the cryptographic level rather than the user’s knowledge. They are becoming the new gold standard that protects the organisation regardless of whether the employee is tired, distracted or simply fooled. For companies employing younger generations, investing in such technologies ceases to be an option and becomes a strategic necessity, protecting against the threats that are already here.
