'Leaders must move beyond traditional training methods and adopt a comprehensive human risk management strategy'
Overconfidence among IT professionals in Australia and New Zealand appears to undermine cybersecurity efforts, according to a new report from Arctic Wolf.
The 2024 Human Risk Behaviour Report, based on a survey of more than 1,500 IT and security decision-makers worldwide, reveals that a significant percentage of ANZ IT leaders have fallen victim to phishing attacks, despite their assurances to the contrary.
The report shows that 84% of IT leaders in the region are confident their organisation will not fall for a phishing attack. However, 70% of those same leaders admitted to clicking on phishing links themselves.
The disconnect reflects massive concerns worldwide that organisations are being "overconfident" amid the emerging threats in the cybersecurity landscape.
"Cybersecurity isn't just about technology – it's about people. As threat actors grow more sophisticated, security leaders must move beyond traditional security training methods and adopt a comprehensive human risk management strategy that will not only help them to better identify and mitigate threats, but more importantly foster a more proactive and security-conscious workforce," said Adam Marre, chief information security officer, Arctic Wolf, in a statement.
The advice comes as the consequences of human-related security failures can be severe, with 30% of IT leaders reporting that an employee has been terminated for falling victim to a scam.
The report highlighted a troubling trend of negligence among IT professionals regarding security protocols.
Nearly half (42%) of IT leaders have disabled security measures on their systems, potentially exposing their organisations to greater risks. Another 67% of IT and cybersecurity leaders also admitted to reusing passwords across multiple systems.
Arctic Wolf's report says its findings indicate that traditional security awareness training, which often takes a "check the box" approach to compliance, is ineffective in engaging employees or preparing them for contemporary threats.
"Protecting against the human element is a concern [that] security practitioners have held as a top priority for years – and the data… proves both leaders and end users still have a lot of work to ensure that they as individuals aren't adversely impacting the overall security of their organisations," Marre said.