Arctic Wolf report reveals IT security gaps in A/NZ region

Arctic Wolf has published its 2024 Human Risk Behaviour Report, revealing concerning security practices among IT leaders in Australia and New Zealand.

The report, developed in conjunction with Sapio Research, surveyed over 1,500 senior IT and security decision-makers and end users across sixteen countries, including 100 IT leaders and 100 end users specifically from the Australia and New Zealand (A/NZ) region.

In the context of increasingly sophisticated threats facilitated by artificial intelligence tools, the Human Risk Behaviour Report aims to provide business leaders and security practitioners with insights into common human risk elements within organisations.

The findings for the A/NZ region highlighted several areas of concern. Over two-thirds of IT leaders and general end users admitted to reusing passwords, indicating a significant challenge in maintaining strong password hygiene.

Furthermore, the report disclosed that over two-thirds of IT leaders have fallen for phishing attacks, despite their confidence to the contrary. Specifically, 84% of IT professionals indicated confidence that their organisations are impervious to phishing attempts, yet 70% acknowledged they have clicked on phishing links themselves.

Adam Marre, Chief Information Security Officer at Arctic Wolf, emphasised the persistent vulnerabilities associated with human behaviour, stating, "Protecting against the human element is a concern security practitioners have held as a top priority for years – and the data in the 2024 Arctic Wolf Human Risk Behaviour Report proves both leaders and end users still have a lot of work to ensure that they as individuals aren't adversely impacting the overall security of their organisations."

The report also found that the consequences of security lapses can be severe, with 30% of IT leaders witnessing employee terminations due to falling victim to scams. Additionally, it was noted that 42% of IT leaders acknowledged disabling security measures on their systems, calling into question the robustness of security practices.

In terms of artificial intelligence protocols, the findings showed that while 62% of IT leaders reported that their organisations had established AI policies, only 25% of end users were aware of these policies' existence, pointing to a gap in communication and policy dissemination.

Adam Marre further commented on the need for an evolved approach to cybersecurity training. He said, "Cybersecurity isn't just about technology – it's about people. As threat actors grow more sophisticated, security leaders must move beyond traditional security training methods and adopt a comprehensive human risk management strategy that will not only help them to better identify and mitigate threats, but more importantly foster a more proactive and security-conscious workforce."

Arctic Wolf's report advocates for a shift from traditional, annualised security awareness training, which has been criticised for its "check the box" approach, towards a continuous human risk management framework. This approach is designed to engage employees more effectively, equipping them with the knowledge to respond to the latest security threats and fostering a culture of security rather than a culture of blame.