In my experience as an FBI agent and security leader, I’ve found that technology alone does not keep us safe. The human element, including our behaviors, our habits, and our decisions, is an ever-present and unpredictable variable in our layers of security. The Arctic Wolf 2025 Human Risk Behavior Snapshot: 2nd Edition brings this into sharp focus, revealing a landscape where employee actions and leadership overconfidence are creating a perfect storm for breaches.
The report, which surveyed over 1,700 IT leaders and end users, uncovers some uncomfortable truths. While organizations are investing in sophisticated defenses, simple human errors and risky behaviors continue to undermine these efforts. The findings are a clear call to action for leaders everywhere: It’s time to bridge the gap between our perceived security posture and the reality of human risk.
Breaches Are on the Rise, and Overconfidence Is a Major Culprit
Let’s start with the starkest finding: 68% of organizations suffered a breach in the past year, an 8% increase from 2024. This is a clear indicator that our current strategies are not keeping pace with the evolving threat landscape, with no indication of a reversal anytime soon. The problem is compounded by a dangerous sense of overconfidence among executives who are otherwise security conscious. Despite the rising number of breaches, a staggering three-quarters of IT leaders still believe their organizations are safe from phishing attacks. But recent data doesn’t support this perception. According to the FBI IC3, more than $6.3 billion (USD) was transferred as part of business email compromise (BEC) scams in 2024. Arctic Wolf researchers found that 72.9% of BEC cases they analyzed were caused by phishing, suggesting that the problem isn’t going anywhere soon.
This confidence is particularly concerning when you consider that nearly two-thirds of these same leaders admitted to clicking on a malicious link. Even more alarming, one in five of those who clicked didn’t report it. Not only are our experts susceptible, but there’s a cultural issue at play where fear or embarrassment prevents transparency. When security leaders aren’t reporting their own missteps, how can we expect frontline employees to do so?
The AI Double-Edged Sword: Innovation vs. Information Leaks
The rapid integration of generative artificial intelligence (AI) into our daily workflows has unlocked incredible productivity, but it has also opened a new frontier of risk. Our report found that 80% of IT leaders and 63% of employees use LLMs for work. While this is likely increasing productivity, it does not necessarily indicate that these leaders and their staff understand the security risks that AI tools bring. A significant portion of these users — 60% of leaders and 41% of staff — admitted to feeding confidential data into these public AI tools.
While this doesn’t expose data automatically, it does create data leakage and exposure risks. The data is out of your control, and you have no visibility into how it will be used, stored, or protected. It also likely violates security controls and compliance requirements of your organization. As we embrace AI, we must establish clear policies and provide secure, private alternatives for handling sensitive information.
The Enduring Challenge of Security Fundamentals
For all the talk of advanced threats, the report highlights that many organizations are still struggling with the basics. Only 54% of organizations enforce multi-factor authentication (MFA) for all users. This is a fundamental control that is proven to be highly effective, yet nearly half of the organizations surveyed are leaving their doors wide open for attackers. Entry-level accounts, often with the least protection, become the easiest path for an attacker to gain a foothold.
Moving From a Culture of Fear to a Culture of Resilience
One of the most striking shifts from last year’s report is the attitude toward employees who make security mistakes. The number of IT leaders who say they would fire staff for falling for scams has jumped from 66% to 77%. While the concern is understandable, a punitive approach is counterproductive. It fosters a culture of fear, discourages reporting, and ultimately makes the organization less secure.
The data shows a better way forward. Companies that prioritize corrective training and education report an 88% reduction in risk. These findings speak to the value of a resilient security culture where employees are empowered to learn from their mistakes without fear of retribution. When we treat human error as a learning opportunity, we build a stronger, more vigilant defense.
A Shared Responsibility
The findings of the 2025 Human Risk Behavior Snapshot: 2nd Edition are a clear reminder that cybersecurity is not just a technology problem, it’s a business problem. Shared accountability that extends from the boardroom to the breakroom is essential to moving beyond overconfidence and embracing a culture of continuous improvement. This means pairing stronger technical safeguards with clear policies, ongoing training, and an environment that encourages open communication. By empowering our people and fostering a culture of security, we can turn our greatest vulnerability into our strongest line of defense.
I encourage you to read the full 2025 Human Risk Behavior Snapshot: 2nd Edition to gain a deeper understanding of these challenges and what they mean for your organization.
