77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thing

While enterprises place a huge emphasis on educating workers to look out for phishing scams, the worst offenders when it comes to clicking malicious links are actually security leaders themselves.

That’s according to new research from Arctic Wolf, which found that despite three-quarters of IT and security leaders believing their organization wouldn’t fall for a phishing attack, nearly two-thirds click phishing links.

Notably, one-in-five failed to report falling for a malicious link or phishing email.

Adam Marrè, senior vice president and chief information security officer (CISO) at Arctic Wolf, said the study highlights a major blind spot and degree of hubris among some security leaders.

"When leaders are overconfident in their defenses while overlooking how employees actually use technology, it creates the perfect conditions for mistakes to become breaches,” he said.

Yet despite their own poor record, 77% of IT leaders say they would fire staff who fall for scams, marking not only a double standard but a sharp increase from 66% in 2024.

More than six-in-ten of IT leaders have changed employees’ access or limited their access as a result of falling victim to phishing scams.

Better training and culture require to stop phishing scams

Arctic Wolf said a better strategy to combat the rise of phishing attacks lies in more robust training for staff at all levels. Indeed, companies that emphasize corrective training reported an 88% reduction in long-term risk.

“Terminating employees for falling victim to a phishing attack may feel like a quick fix, but it doesn’t solve the underlying problem," said Marrè.

"Our research shows that better-trained and better-equipped end users are far less likely to be duped — and when organizations take an education-first approach, nearly nine in ten see positive outcomes."

Attacks keep on coming

The call to action comes at a critical time for enterprises. The number of incidents is surging worldwide, according to Arctic Wolf, with 68% of IT leaders saying their organization suffered a breach in the past year.

This marks an 8% increase from 2024. More than one-in-ten had more than five breaches, while only 30% reported none.

Senior leadership teams are a prime target, the study noted, with 39% hit by phishing attempts and 35% facing malware infections that put high-value accounts at risk.

The UK, Australia, New Zealand and Ireland saw the steepest year-over-year increases, with the number of incidents in the UK and Ireland rising by 35% year over year, partly because of recent high-profile attacks on retailers.

"Contributing factors include the sector’s historical reliance on legacy systems, seasonal spikes in consumer activity, and the complexity of managing customer data across distributed environments," the researchers said.

"While these attacks are serious, they also reflect a broader shift in threat actor behavior toward more opportunistic and scalable methods, making retail a prime target."

The researchers found that many organizations are neglecting the basics, with only 54% of organizations enforcing MFA for all users.

“Progress comes when leaders accept that human risk is not just a frontline issue but a shared accountability across the organization," said Marrè.

"Reducing that risk means pairing stronger policies and safeguards with a culture that empowers employees to speak up, learn from errors, and continuously improve.”

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

• Phishing tactics: The top attack trends
• Four tips for implementing effective cybersecurity awareness training
• Malware as a Service explained