While enterprises place a huge emphasis on educating workers to look out for phishing scams, the worst offenders when it comes to clicking malicious links are actually security leaders themselves.
That’s according to new research from Arctic Wolf, which found that despite three-quarters of IT and security leaders believing their organization wouldn’t fall for a phishing attack, nearly two-thirds click phishing links.
Notably, one-in-five failed to report falling for a malicious link or phishing email.
Adam Marrè, senior vice president and chief information security officer (CISO) at Arctic Wolf, said the study highlights a major blind spot and degree of hubris among some security leaders.
"When leaders are overconfident in their defenses while overlooking how employees actually use technology, it creates the perfect conditions for mistakes to become breaches,” he said.
Yet despite their own poor record, 77% of IT leaders say they would fire staff who fall for scams, marking not only a double standard but a sharp increase from 66% in 2024.
More than six-in-ten of IT leaders have changed employees’ access or limited their access as a result of falling victim to phishing scams.
Better training and culture require to stop phishing scams
Arctic Wolf said a better strategy to combat the rise of phishing attacks lies in more robust training for staff at all levels. Indeed, companies that emphasize corrective training reported an 88% reduction in long-term risk.
“Terminating employees for falling victim to a phishing attack may feel like a quick fix, but it doesn’t solve the underlying problem," said Marrè.
"Our research shows that better-trained and better-equipped end users are far less likely to be duped — and when organizations take an education-first approach, nearly nine in ten see positive outcomes."
Attacks keep on coming
The call to action comes at a critical time for enterprises. The number of incidents is surging worldwide, according to Arctic Wolf, with 68% of IT leaders saying their organization suffered a breach in the past year.
This marks an 8% increase from 2024. More than one-in-ten had more than five breaches, while only 30% reported none.
Senior leadership teams are a prime target, the study noted, with 39% hit by phishing attempts and 35% facing malware infections that put high-value accounts at risk.
The UK, Australia, New Zealand and Ireland saw the steepest year-over-year increases, with the number of incidents in the UK and Ireland rising by 35% year over year, partly because of recent high-profile attacks on retailers.
"Contributing factors include the sector’s historical reliance on legacy systems, seasonal spikes in consumer activity, and the complexity of managing customer data across distributed environments," the researchers said.
"While these attacks are serious, they also reflect a broader shift in threat actor behavior toward more opportunistic and scalable methods, making retail a prime target."
The researchers found that many organizations are neglecting the basics, with only 54% of organizations enforcing MFA for all users.
“Progress comes when leaders accept that human risk is not just a frontline issue but a shared accountability across the organization," said Marrè.
"Reducing that risk means pairing stronger policies and safeguards with a culture that empowers employees to speak up, learn from errors, and continuously improve.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
