Geo Focus: Asia , Geo-Specific , Security Awareness Programs & Computer-Based Training
Survey: 6 in 10 IT, Security Workers Use Bad Cyber Hygiene
Arctic Wolf Survey Says Security Leaders Are Overconfident About Security ControlsMost IT and cybersecurity leaders worldwide engage in risky cybersecurity behaviors and do a poor job managing passwords, detecting phishing attacks and following security protocols. In fact, six in 10 professionals recently surveyed by Arctic Wolf admitted to clicking on phishing links and reusing passwords.
Arctic Wolf surveyed 750 IT and cybersecurity leaders worldwide, including 100 IT and security leaders from Australia and New Zealand. The report observed a wide gap between what cybersecurity leaders profess and their personal security practices. Arctic Wolf found a similar gap between what leaders think and what their employees think of cybersecurity practices.
See Also: Research Survey Analysis: Securing Your Third-Party Supply Chain in 2024
For example, about 80% of IT and cybersecurity leaders said their IT security practices can sufficiently defeat phishing scams, but 64% admitted that they have clicked on phishing links at least once. In the ANZ region, 70% of IT and security leaders had clicked on a phishing link. Employees fared even worse: 83% of employees have clicked on phishing simulation links at least once.
Arctic Wolf found that 68% of IT and cybersecurity leaders reuse passwords, with most of them doing so frequently. Over half of them rely on memory, written notes or spreadsheets to remember system passwords rather than use security password management tools.
According to the survey, 36% of respondents said they disabled security measures on their system.
"Considering IT and cybersecurity leaders have access to what attackers consider the crown jewels of the organization - administrator accounts, executive machines, and critical business systems - this behavior clearly increases risk," Arctic Wolf said.
The Artic Wolf survey echoed findings of a 2024 Cybersecurity Readiness Index report by Cisco, which found that 80% of companies feel confident in their ability to stay resilient despite their substantial lack of readiness amid growing cyberthreats. "It does underline a gap that suggests companies may have misplaced confidence in their ability to navigate the threat landscape and are not properly assessing the true scale of the challenges they face," the company said.
While 9 out of 10 organizations globally increased their cybersecurity budgets over the past 12 to 24 months and implemented a variety of cybersecurity solutions, they also faced talent shortages. Cisco also said almost every organization has more than 10-point solutions in its security stack, making incident detection and response more complicated.
"As digitization has picked up pace, and as threats continue to evolve and become more sophisticated, this approach is now having the exact opposite effect. Four in five companies, 80%, admit that having multiple point solutions is slowing down their team's ability to detect, respond to and recover from incidents," Cisco said.
Part of the problem is that people tend to place a high degree of faith in technical solutions and controls, inadvertently putting their guard down and exposing themselves to cybersecurity risks, according to researchers at the University of Adelaide and Australia's Department of Defense in a recent paper.
"For example, an employee may choose to click on a link in a potentially suspicious but interesting email because they believe that their actions will be safeguarded by their organization's cyber security controls," the researchers said. "While the information security policies tell people what to do, an understanding of the fallibility of technical safeguards relates to why people should behave in a certain way and, as such, this type of knowledge is not included in extant information security awareness measures."