While enterprises place a huge emphasis on educating workers to look out for phishing scams, the worst offenders when it comes to clicking malicious links are actually security leaders themselves.
That’s according to new research from Arctic Wolf, which found that despite three-quarters of IT and security leaders believing their organization wouldn’t fall for a phishing attack, nearly two-thirds click phishing links.
Notably, one-in-five failed to report falling for a malicious link or phishing email.
Adam Marrè, senior vice president and chief information security officer (CISO) at Arctic Wolf, said the study highlights a major blind spot and degree of hubris among some security leaders.
"When leaders are overconfident in their defenses while overlooking how employees actually use technology, it creates the perfect conditions for mistakes to become breaches,” he said.
Yet despite their own poor record, 77% of IT leaders say they would fire staff who fall for scams, marking not only a double standard but a sharp increase from 66% in 2024.
More than six-in-ten of IT leaders have changed employees’ access or limited their access as a result of falling victim to phishing scams.
Better training and culture require to stop phishing scams
Arctic Wolf said a better strategy to combat the rise of phishing attacks lies in more robust training for staff at all levels. Indeed, companies that emphasize corrective training reported an 88% reduction in long-term risk.
“Terminating employees for falling victim to a phishing attack may feel like a quick fix, but it doesn’t solve the underlying problem," said Marrè.
"Our research shows that better-trained and better-equipped end users are far less likely to be duped — and when organizations take an education-first approach, nearly nine in ten see positive outcomes."
Attacks keep on coming
The call to action comes at a critical time for enterprises. The number of incidents is surging worldwide, according to Arctic Wolf, with 68% of IT leaders saying their organization suffered a breach in the past year.
This marks an 8% increase from 2024. More than one-in-ten had more than five breaches, while only 30% reported none.
Senior leadership teams are a prime target, the study noted, with 39% hit by phishing attempts and 35% facing malware infections that put high-value accounts at risk.
The UK, Australia, New Zealand and Ireland saw the steepest year-over-year increases, with the number of incidents in the UK and Ireland rising by 35% year over year, partly because of recent high-profile attacks on retailers.
"Contributing factors include the sector’s historical reliance on legacy systems, seasonal spikes in consumer activity, and the complexity of managing customer data across distributed environments," the researchers said.
"While these attacks are serious, they also reflect a broader shift in threat actor behavior toward more opportunistic and scalable methods, making retail a prime target."
The researchers found that many organizations are neglecting the basics, with only 54% of organizations enforcing MFA for all users.
“Progress comes when leaders accept that human risk is not just a frontline issue but a shared accountability across the organization," said Marrè.
"Reducing that risk means pairing stronger policies and safeguards with a culture that empowers employees to speak up, learn from errors, and continuously improve.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
AI is redefining roles in the tech industry and forcing Gen Z workers to reassess career pathsNews Gen Z workers remain cautious about AI while industry turbulence is changing their outlook on company loyalty
-
Zen Internet eyes channel growth under new partner chiefNews The seasoned leader will spearhead the firm’s channel activity as it looks to drive deeper partner collaboration
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Third time lucky? The FBI just took down BreachForums, againNews The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
