IT Leaders’ Risk Behaviors Often Undercut Their Own Cybersecurity Measures, Report Finds
Adam Marrè, chief information security officer at cybersecurity firm Arctic Wolf, discusses the role of human fallibility in cyber defense
It’s a surprising statistic: While 80% of IT and security leaders believe their organization is not vulnerable to a phishing attack, 64% have themselves clicked on a phishing link, according to a recent report from the cybersecurity firm Arctic Wolf.
As the global cyberthreat system evolves, the cost of incursions like those phishing scams is steadily increasing. The worldwide average cost of a cybersecurity intrusion reached an all-time high of $4.88 million in 2024, according to IBM’s annual “Cost of a Data Breach Report.” Social engineering attacks are becoming ever more refined, leveraging deepfake technology and AI to strike their targets. Cybersecurity risks—and the stakes—have never been higher.
But while cybercriminals are becoming increasingly sophisticated, security and IT professionals have both a major risk factor and a potent weapon against cybercrime in their defensive arsenal—people.
Navigating the Human Factor
Arctic Wolf’s 2024 Human Risk Behavior Snapshot report explores the human side of cybersecurity. Drawing data from over 1,500 senior IT and security leaders, along with end users from 16-plus countries, the report highlights how human factors can create security failures. The report also outlines measures that security practitioners can take to mitigate those risks.
Adam Marrè is the chief information security officer at Arctic Wolf. A former FBI agent, he believes that employees are at the core of an effective digital security strategy. “Cybersecurity isn’t just about technology—it’s about people,” he explains. “We need to give them the ability to do their jobs, so there’s always going to be the opportunity to socially engineer or trick them into doing something. It’s not necessarily a new problem, but the technologies that cybercriminals are using are new.”
And those new technologies are working—in part because of overconfidence in the security industry. The report found that, while 82% of IT and cybersecurity leaders are confident in their company’s ability to deal with a cyberattack, 64% have experienced more than one breach in the past 12 months.
The issue begins at the top, with those charged with protecting against cybercrime. The Arctic Wolf report found that many IT and cybersecurity leaders do not consistently follow basic cyber hygiene practices in their own security. Sixty-eight percent of IT and security leaders reuse passwords, and, shockingly, 36% of security and IT professionals have disabled one or more of their own security measures.
The report also found that many IT and security professionals need to create or enforce basic cybersecurity policies. Just 59% enforce multifactor authentication (MFA) for all users. And while 85% of security and IT leaders require employees to change their passwords every 90 days, just 77% of employees actually do.
Poor cybersecurity hygiene isn’t just found among IT and security leaders. Sixty-four percent of end users also admit to reusing their passwords, and over 25% keep passwords for over three months. Just 41% of employees say they always lock their screens when stepping away from their desks.
Such human behaviors create many security gaps that threat actors can exploit. And as the sophistication of cyberattacks continues to grow, so do the risks.
AI-Enabled Attacks Capitalize on Human Fallibility
Exploiting the human loophole, artificial intelligence (AI) is increasingly being used to penetrate cybersecurity defense systems. In a 2024 article, the World Economic Forum warns about a coming avalanche of AI-powered cyberattacks, including increasingly sophisticated deepfake scams, targeted social engineering attacks, and AI programs designed to exploit security vulnerabilities.
Marrè says that even novice cybercriminals can leverage AI. “AI is helping criminals who are not technically trained to exploit flaws in code or create very tailored and highly targeted spear phishing attacks,” he explains.
And many organizations are behind the curve regarding the new security risks AI poses. The Arctic Wolf report found that just 60% of IT and cybersecurity leaders have an organizational AI policy. Even more troubling, of those that do have an AI policy, just 29% of end users are aware of it.
But while AI is giving cybercriminals new ways to penetrate organizational security measures, it’s also an exciting cyber defense tool. Marrè said cybersecurity leaders are leveraging AI in many ways, from rapidly filtering through enormous data sets like network flow logs, to leveraging user behavior analytics to flag potential risks.
“We’ve used these new AI tools to detect and successfully prevent attacks as they occur, in some cases to amazing effect,” said Marrè. “I have a lot of optimism for the future of AI within the cybersecurity industry and our ability to protect and defend our customers with these new tools.”
A Triple-Pronged Defense: Educate, Equip and Empower
But even as AI changes the game on all sides, Marrè still believes that protecting against threat actors still comes back to the same risk mitigation strategy—people.
Education is the core of an effective approach to cybersecurity, but according to Marrè, formulaic annual security awareness education is deeply ineffective and doesn’t give employees the tools they need to combat today’s sophisticated cyberthreats. Security and IT leaders should facilitate frequent, relevant and engaging security awareness training to cultivate a vigilant and security-focused workforce. But many organizations aren’t currently doing so—the Arctic Wolf report found that just 31% of end users found their current security training engaging.
Equipping employees and IT teams with the right tools and policies to foil cybersecurity attacks is also a critical step. From basic tools like MFA and forced password changes to more advanced strategies like adaptive authentication, organizations must equip themselves against an evolving cybersecurity landscape. New options on the horizon, like AI models trained to detect concerning security actions at the individual employee level, will offer ever more advanced threat protection.
Empowering employees to detect and report potential cyberthreats, the third prong of an effective strategy, often requires a cultural shift throughout the organization. The Arctic Wolf report found that while 85% of IT and cybersecurity leaders believe that their employees would feel comfortable reporting a security incident, just 77% of end users actually do. Such concern may be justified: 27% of IT and cybersecurity leaders have terminated an employee for becoming the victim of a cyberattack.
In the War on Cybercrime, People Are Key
At the end of the day, creating a culture of security rather than a culture of blame is the key to cyber resilience and empowering a workforce that can help detect and prevent security threats. As Marrè says, “We need to move away from blaming the humans. As leaders, we must do everything we can to empower them to do the right thing.”