Recent cyber incidents like the Transport for London attack and the ‘Kido’ nursery chain breach have exposed a troubling shift in the UK threat landscape. The suspected perpetrators of both hacks were not hardened criminals or foreign syndicates; they were all teenagers.
The internet has become both a playground and a proving ground. For a generation raised online, the boundary between experimentation and exploitation is fading and it’s happening at a younger age than ever. The majority (60%) of 3-5 year olds already own a social media profile, and one-third of those use it unsupervised. In fact, 25% of all children and young people now use their smartphones in a way that is consistent with a behavioural addiction.
By age 15, more than half of children will spend more than 30 hours per week staring at a screen, almost as much time as they spend in school, which is increasing their exposure to hacking-adjacent content.
For this generation, life online is normal. Learning, entertainment and identity are all mediated through screens. Social media has also gamified cyber intrusion. On Discord, TikTok and Telegram, cyber mischief earns clout. Hacking competitions, leaked data and defacement pranks play out like levels in a game. For digital natives accustomed to instant feedback and peer validation, breaching a system can feel more like an achievement than a criminal offence. This cultural shift hasn’t gone unnoticed outside the profession. BBC reporter Joe Tidy’s new book, ‘Ctrl + Alt + Chaos’, explores teenage hacker culture, and he’ll be discussing it at this year’s CIISec LIVE.
Any parent, teacher or mentor knows how quickly fascination can become fixation. Without guidance, the same technical spark that could ignite a cyber security career can just as easily burn in the wrong direction. This curiosity isn’t confined to social media or gaming communities, it’s now reaching into education itself.
The UK Information Commissioner’s Office (ICO) recently reported that over half (57%) of personal data breaches in schools between January 2022 and August 2024 were caused by students, often through stolen login details. While these incidents are small-scale compared to corporate attacks, they highlight a growing issue. Young people are experimenting with hacking inside their own school systems. The profession must meet this generation where they are – online, curious and ambitious. The missing piece is giving them credible, structured ways to apply their skills before others exploit them.
To redirect talent, the cyber security profession needs to open its doors wider and make routes clearer, so that what looks like mischief can become mastery. Initiatives such as CIISec’s CyberEPQ – the UK’s only Extended Project Qualification in cyber security – are already helping younger learners find their footing in the field. Apprenticeships, certifications and transparent progression pathways can convert curiosity into capability, which should be visible and easy to access.
Beyond pay, the purpose is powerful, since protecting critical services, defending citizens and solving complex challenges resonates with young people who want meaningful work. Yet awareness of these opportunities is limited, and if the profession does not shout louder about its appeal, cybercrime forums and hacker groups will fill the vacuum. Diversifying talent pipelines through unconventional entry points in gaming communities, coder clubs, esports teams, and school robotics clubs can also surface raw technical skill to meet this growing issue.
Every young person guided away from the adversary pool and into the defender community delivers a double dividend – one person fewer posing a threat, and one added protector.
Developing human capability is cheaper and more sustainable than chasing the next security tool, and it builds resilience from the inside out. In a world where every line of code can be weaponised, attracting talent into legitimate fields may be our most powerful defence, and it is one we can scale quickly if we act now.
