New research highlights the surprising susceptibility of IT and security leaders to phishing attacks, revealing gaps in human-related defenses at the executive level.
Arctic Wolf’s 2025 Human Risk Behavior Snapshot reveals the trends and concerns facing IT leader and end user attitudes in today’s changing threat landscape. It surveyed 1,700 IT leaders and employees worldwide, revealing that even those responsible for protecting organizations are frequently targeted and, in many cases, are not immune to social engineering campaigns.
Alarming Statistics on IT Leadership Risk
- High Incidence of Phishing Clicks: A concerning 65% of senior IT executives have clicked on phishing links, demonstrating that technical expertise does not necessarily mean immunity to social engineering.
- Underreporting Creates Blind Spots: 17% of those who clicked on phishing links did not report the incident, leaving organizations exposed to undetected threats as they are unaware of their true risk level.
- Repeat Vulnerabilities: 11% of IT leaders admit to having clicked on phishing links more than once without reporting them, compounding the risk to their organizations.
- Consequences for Human-Related Security Failures are Steep: 27% of IT leaders have terminated an employee for falling victim to a scam like phishing.
“The rise of generative AI has created powerful new tools—but also powerful new risks. When leaders are overconfident in their defenses while overlooking how employees actually use technology, it creates the perfect conditions for mistakes to become breaches,” said Adam Marrè, senior vice president and chief information security officer at Arctic Wolf.
“Progress comes when leaders accept that human risk is not just a frontline issue but a shared accountability across the organization. Reducing that risk means pairing stronger policies and safeguards with a culture that empowers employees to speak up, learn from errors, and continuously improve.”
Addressing Human Risk in Organizations
The survey reinforces that traditional, annual security awareness programs are insufficient for modern threats, and that approaching compliance like a check-box exercise is ineffective. Employees, including IT leaders, need to be continuously engaged and educated to keep up with evolving phishing tactics and AI-driven attacks.
According to findings, 88% of IT leaders who implemented remediation, including better training and equipping users better, saw a positive outcome from that effort. Building a culture or security not based on fear, but rather on knowledge. However, worryingly, 31% expressed that they did not consider “building a culture” of security awareness to be a primary objective.
The Bottom Line
As attackers increasingly target executives and technical staff, organizations cannot rely solely on technology to safeguard assets. Ongoing training, proactive human risk management, and transparent reporting are critical to reducing exposure and ensuring leaders serve as both defenders and role models in cybersecurity practices.
