IT and cyber security leaders and end-users alike persist in clicking on phishing links, ignoring password best practice and even disabling security measures on their systems, according to Arctic Wolf’s new report: 2024 Human Risk Behavior Snapshot.
The report, which analysed the cyber security attitudes of both IT leaders and end-users around the world, revealed that while 80% of IT and cyber security leaders are confident their organisations won’t fall for a phishing attack, 64% of them have clicked on phishing links themselves. Equally concerning, 36% of IT and cyber security leaders have at least once disabled security measures on their systems.
Sixty-eight percent of them admit to re-using system passwords, compared with the 64% of end-users who do so. While 85% of IT and cyber security leaders say they require employees to change their password at least every 90 days, only 73% of end-users do so and 25% are accessing company files and systems using passwords that are more than three months old.
Jason Oehley, regional sales manager at Arctic Wolf Networks, says: “The report shows a massive gap between perception and reality. Cyber security leaders may have unwarranted levels of confidence in their ability to withstand cyber attacks. Organisations have all the necessary security policies and technologies in place, but people aren’t following security protocols. Not even the cyber security leaders are doing so.”
Fear of termination
Oehley points to another finding in the study: while 85% of IT and cyber security leaders think employees feel comfortable reporting security incidents to the appropriate channels, in reality, only 77% of end-users do.
“Forty-five percent of those who are reluctant to report security incidents say they are worried it will impact their employment,” he says.
“It seems they are right to be concerned – 27% of IT and cyber security leaders have witnessed an employee termination for falling victim to a scam, and another 39% would be prepared to terminate someone’s employment if they fell victim to a scam. Employees have to feel comfortable reporting incidents, so that learnings can be built into future plans and security can be strengthened.”
Training slashes risk
The study also found a significant reduction in risk when security awareness training is engaging, relevant and given regularly. Forty percent of IT and cyber security leaders whose security awareness training happens quarterly have not experienced a breach in the past year, as opposed to 14% of leaders whose training is weekly.
Oehley says: “The report found a direct correlation between those who receive frequent training and those displaying the most robust attitudes to security. For example, 91% of IT and cyber security leaders trained at least quarterly require password changes every 30 days.”
Oehley adds: “It’s worth noting that nearly 20% of cyber security leaders and around 24% of end-users think their training is either outdated or boring. This doesn’t help instil a security culture and keep cyber security top of mind. It’s important to tailor the content to be fresh, relevant and engaging to maintain effectiveness and create a security culture instead of a culture of blame.”
Arctic Wolf also recommends implementing a robust password management system and encouraging the use of unique, strong passwords for different accounts, with multifactor authentication (MFA) to add an extra layer of security.
Share