Hardening of Attitudes

Arctic Wolf’s 2025 Human Risk Behaviour Snapshot reveals that 77 per cent of IT and security leaders say they have (or would) sack an employee for falling for a phishing or social engineering scam, up from 66 per cent in 2024. The report describes this shockingly high statistic as the result of a significant hardening of attitudes among security professionals, despite continuing increases in attack volume and breach rates.

The Scale

The study, which surveyed more than 1,700 IT leaders and end users globally, found that 68 per cent of organisations suffered at least one breach in the past year. The UK and Ireland, for example, recorded some of the steepest rises, partly due to high-profile incidents in the retail sector. Arctic Wolf notes that many firms are still failing to implement basic measures, with only 54 per cent enforcing multi-factor authentication (MFA) for all users.

Sacking Doesn’t Solve The Problem

The same report also found that organisations taking an education-first approach rather than firing staff saw an 88 per cent reduction in long-term human risk. According to Arctic Wolf’s Chief Information Security Officer, Adam Marrè, “Terminating employees for falling victim to a phishing attack may feel like a quick fix, but it doesn’t solve the underlying problem.”

A Strong Policy Signal

The findings of the report appear to highlight a growing gap between confidence and capability. For example, three-quarters of leaders said they believed their organisation would not fall for a phishing attack, yet almost two-thirds admitted they have clicked a phishing link themselves, and one in five said they failed to report it.

Corrective Action Instead of Dismissal

It should be noted that, in the same survey, more than six in ten leaders said they had taken corrective action against employees who fell for phishing scams by restricting or changing access privileges, which Arctic Wolf suggests is a more constructive approach than dismissal.

Executives Are Valuable Targets For Cybercriminals

In fact, the company’s own data also shows that 39 per cent of senior leadership teams were targeted by phishing and 35 per cent experienced malware infections, highlighting how executives themselves are often the most valuable targets for attackers.

“When leaders are overconfident in their defences while overlooking how employees actually use technology, it creates the perfect conditions for mistakes to become breaches,” Marrè said. He added that the most secure organisations “pair strong policies and safeguards with a culture that empowers employees to speak up, learn from errors, and continuously improve.”

Confidence Vs Behaviour

The Arctic Wolf report appears to highlight a clear contradiction. For example, while most security leaders view phishing as a frontline employee issue, they are actually statistically among the most likely to make the same mistakes. Many also admit to disabling or bypassing security systems. For example, 51 per cent said they had done so in the past year, often claiming that certain measures “slowed them down” or made their work harder.

This gap between stated policy and personal practice is what Marrè describes as “a major blind spot and degree of hubris among some security leaders.” The report concludes that leadership culture sets the tone for the rest of the organisation, and that inconsistency at the top erodes credibility and weakens defences.

Who Is Really Falling For Phishing In 2025?

The question of who gets caught out most is not as simple as it might appear. For example, Arctic Wolf’s data indicates that senior staff, not junior employees, are often prime targets because of their privileged access and decision-making authority. The company found that nearly four in ten executive teams experienced phishing attempts, compared with lower rates among general staff.

Other research appears to support this pattern. For example, Verizon’s 2025 Data Breach Investigations Report confirms that social engineering remains one of the top causes of data breaches, accounting for more than two-thirds of all initial intrusion methods. Its analysis identifies finance, healthcare, education, and retail as the most heavily targeted sectors. Attackers exploit trust, urgency, and routine workflows to trick users into sharing credentials or downloading malware.

New Hires More Likely To Click

Also, a mid-2025 study by Keepnet, reported by Help Net Security, found that 71 per cent of new hires clicked on phishing emails during their first 90 days, making them 44 per cent more likely to fall victim than longer-serving staff. The main reasons were unfamiliar internal systems, a desire to respond quickly to apparent authority figures, and inconsistent onboarding security training. The same research found that structured, role-specific training reduced click rates by around 30 per cent within three months.

Retail Legacy Systems An Issue

Retail has also seen a marked increase in phishing incidents across the UK and Ireland. Arctic Wolf attributes this to the industry’s reliance on legacy systems, seasonal sales spikes, and the complexity of managing large volumes of customer data. The company says these factors have made retail “a prime target” for opportunistic and scalable attacks.

Can Employers Really Sack Staff For Clicking A Phishing Email?

In the UK, simply sacking an employee for falling for a phishing email is legally possible but rarely straightforward. For example, under the Advisory, Conciliation and Arbitration Service (Acas) Code of Practice, an employer can only dismiss fairly if they have both a valid reason, such as misconduct or capability, and have followed a fair and reasonable procedure.

For a dismissal to be lawful, the employer must investigate properly, give the employee a chance to respond, and ensure the sanction is proportionate. Even where a phishing incident causes financial loss or reputational damage, the question is whether the individual acted negligently or was misled despite reasonable training and policies. In most cases, a first-time mistake caused by deception would not actually meet the threshold for gross misconduct.

Unfair Dismissal?

It’s worth noting here that employees with two years’ service can bring a claim for unfair dismissal if they believe the reason or process was unreasonable. Employment tribunals are required to take the Acas Code into account, and may increase or reduce compensation by up to 25 per cent if either side fails to follow it. This means employers that act punitively without clear evidence or consistent practice could face costly legal challenges.

Most employment lawyers, therefore, recommend a corrective rather than disciplinary response, especially where the organisation’s training or technical safeguards may have been insufficient. Arctic Wolf’s data reflects this tendency, with many leaders actually opting to limit access rights rather than dismiss staff outright after a phishing incident.

Ethics And Culture

Beyond legality, there is an ethical debate here to take account of which focuses on culture and transparency. For example, the UK’s National Cyber Security Centre (NCSC) advises that creating a “no-blame reporting culture” is one of the most effective ways to reduce security risk. Its guidance stresses that employees should feel safe to report suspicious emails or mistakes immediately, without fear of reprisal.

In fact, it is well known that when punishment is the first response, employees often stay silent. Arctic Wolf’s own findings appear to bear this out, i.e., one in five security leaders who clicked a phishing link failed to report it. That silence can allow breaches to escalate before they are detected.

Human Error Inevitable

Security experts argue that treating human error as inevitable, and training people to respond effectively, is far more effective than zero-tolerance policies. Marrè says that “progress comes when leaders accept that human risk is not just a frontline issue but a shared accountability across the organisation.” He advocates regular, engaging training that reflects real threats, backed by leadership example and open communication.

The Double Standard In Practice

The data from this and other reports appears to paint a clear picture of contradiction at the top. For example, many of the same leaders who advocate sacking staff for phishing errors have clicked links themselves or disabled controls that protect the wider organisation. Arctic Wolf’s report describes this as “a culture of ‘do as I say, not as I do’,” warning that it undermines credibility and increases exposure to social engineering attacks.

Phishing Now More Sophisticated

One other important factor to take into account here is the fact that phishing techniques have also grown more sophisticated. For example, attackers now use AI-generated emails, cloned websites, and real-time chat-based scams to trick users into sharing credentials. Even experienced professionals can, therefore, struggle to spot these messages, particularly when they appear to come from known suppliers or senior colleagues.

AI Supercharges Phishing Success

Microsoft’s 2025 Digital Defence Report shows that AI-generated phishing emails are 4.5 times more likely to fool recipients, achieving a 54 per cent click-through rate compared with 12 per cent for traditional scams. The company says this surge in realism and scale has made phishing “the most significant change in cybercrime over the last year”.

Microsoft also estimates that AI can make phishing campaigns up to 50 times more profitable, as attackers use automation to craft messages in local languages, tailor lures, and launch mass campaigns with minimal effort. Beyond email, AI is now being used to scan for vulnerabilities, clone voices, and create deepfakes, transforming phishing into one of the fastest-growing and most lucrative attack methods worldwide.

Initial Compromise Comes From Phishing

Industry-wide data continues to show that phishing is the most common initial attack vector in business email compromise, ransomware, and credential theft cases. Verizon’s latest data shows phishing accounts for roughly 73 per cent of initial compromise methods, followed by previously stolen credentials. These statistics underline how difficult it is to eliminate human error entirely, even in well-trained environments.

Arctic Wolf argues that genuine progress actually requires leading by example rather than blaming employees. In its report, the company’s closing recommendations include continuous education, practical simulations, and building a culture that rewards honesty over silence. Its research concludes that organisations where employees feel confident to report mistakes are significantly less likely to experience repeat incidents, and far more likely to detect breaches early.

What Does This Mean For Your Business?

The findings appear to highlight a cultural challenge within cyber security. Punishing individuals for mistakes that even experienced leaders admit to making risks undermining the very trust and openness that strong defences depend on. The evidence shows that while technical safeguards such as MFA and endpoint protection are essential, they are not enough on their own. What really differentiates resilient organisations is how they handle human error, whether they choose to learn from it or treat it as grounds for dismissal.

For UK businesses, the implications are significant. A strict zero-tolerance policy towards phishing may appear decisive, but it can also damage morale, suppress reporting, and expose employers to potential legal and reputational risks. Dismissing staff without due process could also lead to unfair dismissal claims, while a culture of fear can discourage the transparency needed to contain attacks quickly. By contrast, firms that take a measured, education-focused approach tend to see fewer repeat incidents, faster recovery times, and stronger employee engagement in security.

The message from Arctic Wolf’s data is that leadership example matters most. When senior executives model good cyber hygiene, acknowledge their own vulnerabilities, and support open communication, staff are far more likely to follow suit. Creating an environment where everyone feels responsible for reporting threats, and confident they will be supported for doing so, delivers a far greater return than any punitive measure.

For regulators, investors, training providers and others, the findings reinforce the importance of human-centred strategies that combine accountability with education. As phishing continues to evolve in sophistication, organisations across all sectors must balance clear policy enforcement with a recognition that even the best-informed professionals can make mistakes. The organisations that respond to that reality with fairness, transparency, and leadership integrity will be the ones best equipped to withstand the next wave of attacks.

The post Featured Article : 77% of Security Leaders Would Sack Phishing Victims appeared first on Mear Technology.

The Study and Report

The analysis comes from the British Standards Institution’s new insight report, ‘Evolving Together: AI, Automation and Building the Skilled Workforce of the Future’. It surveyed more than 850 business leaders across eight countries, including the UK, and used AI tools to review 123 company annual reports to see how often themes such as automation, upskilling, and training appeared. The study set out to understand how employers are using AI, which roles are being affected, and what this means for workforce development and future talent pipelines.

What Employers Are Doing

The key finding of the report appears to be that employers are now actively testing AI before employing people. The report says that nearly a third of business leaders said their organisation explores an AI solution before considering a human hire. Two in five said AI is already helping them reduce their headcount, while a similar number reported that entry-level roles had already been reduced or cut as AI took on research and administrative work. Looking ahead, 43 per cent said they expect further reductions in junior roles over the next year. In the UK, 38 per cent of leaders expect to cut junior positions, and three quarters said AI is already helping reduce headcount.

The language appearing in company reports appears to tell a similar story. For example, the term “automation” appeared nearly seven times more often than “upskilling”, “training”, or “education”, suggesting that businesses are now prioritising cost reduction and efficiency over long-term workforce investment. Over half of those surveyed also said the benefits of implementing AI outweigh the disruption to jobs.

Why?

It seems that employers are framing AI as a route to productivity and competitiveness. For example, 61 per cent cited productivity and efficiency as a main reason for investing in AI, 49 per cent pointed to cost reduction, and 43 per cent said AI helps fill skills gaps. However, the BSI report notes that competitive pressure may be driving these decisions as much as actual evidence of success. Many businesses are keen not to appear behind their rivals, even if financial results are uncertain.

What It Means For Gen Z And Early Careers

For younger workers entering the job market, it looks as though the picture is becoming more challenging. Adzuna data shows that UK entry-level vacancies have fallen by about a third since late 2022, with such roles now representing a smaller share of all job postings. Also, Indeed has reported a one-third year-on-year fall in graduate listings, marking the toughest market since 2018. The BSI study captures the employer side of this trend, where a quarter of bosses believe all or most entry-level tasks could now be handled by AI.

BSI’s leaders warn about the long-term cost of this approach. “AI represents an enormous opportunity for businesses globally, but as they chase greater productivity and efficiency, we must not lose sight of the fact that it is ultimately people who power progress,” said Susan Taylor Martin, chief executive of BSI. She called for long-term workforce investment alongside AI spending. Kate Field, BSI’s global head of human and social sustainability, added that prioritising short-term productivity over early-career development risks weakening the skills pipeline and deepening generational inequality.

Signals From The Labour Market

The UK labour market itself has cooled through the summer. Official figures show unemployment at 4.7 per cent between May and July, a four-year high. Economists caution against linking this entirely to AI adoption, although the technology is clearly reshaping entry-level hiring.

International bodies are also monitoring exposure. For example, the International Monetary Fund estimates around 60 per cent of jobs in advanced economies could be affected by AI, with roughly half of these potentially seeing lower demand for human labour. The Organisation for Economic Co-operation and Development (OECD) has also found that about a third of vacancies are in occupations highly exposed to AI, with the UK near the top of that range. These findings support the idea that early-career, white-collar roles are among the most vulnerable to rapid automation.

Implications For Employers And Businesses

For companies, the short-term benefits are obvious. For example, AI can automate repetitive tasks, consolidate workflows, and reduce costs in areas such as administration, research, and reporting. However, the medium-term risk is quite significant. If firms eliminate entry-level positions faster than they develop new skills, they could face shortages of experienced managers and specialists later on. BSI’s analysis shows that larger companies are moving faster on headcount reduction than small and medium-sized enterprises (SMEs), but they are also more likely to have a formal AI learning and development programme. That leaves SMEs in a difficult position, potentially expected to train the next generation of workers while competing for scarce talent.

What About ROI?

Return on investment is another area of uncertainty. For example, IBM’s 2025 CEO Study reported that only a quarter of AI initiatives had actually delivered expected results in recent years, and an MIT-linked study this summer found that most enterprise generative AI projects produced no measurable effect on profit or efficiency. An EY survey of nearly a thousand large companies reached similar conclusions, finding that many experienced early financial losses due to compliance issues, inaccurate outputs, and operational disruption. These findings suggest that while firms are enthusiastic about AI, many are still learning how to achieve any real value from it.

Employees And The Economy

For workers, especially Gen Z, the decline in entry-level roles reduces opportunities to gain essential experience. That has implications for career progression, pay growth, and social mobility. The BSI findings also highlight sentiment among managers, more than half of whom said they feel lucky to have started their careers before AI became widespread. This fuels perceptions among younger people that they face a more precarious employment landscape. The Trades Union Congress has also reported that half of UK adults worry AI could alter or take their job, underlining growing anxiety around the technology’s impact on employment.

At the wider economic level, a balanced transition is crucial. For example, international studies suggest that AI can raise productivity if it’s paired with investment in human skills. The OECD links high AI exposure with rising demand for management, social, and digital capabilities, while the IMF stresses that policy and employer choices will determine whether AI adoption produces better jobs or simply less work. It should be noted that the direction is not inevitable, but depends on how businesses and governments respond.

Other Stakeholders

For AI providers, the BSI data signals strong short-term demand for automation tools, especially those aimed at streamlining office-based and knowledge roles. It also points to increasing scrutiny. Employers are demanding clearer evidence of ROI, and policymakers are watching workforce impacts closely. Some commentators, for example, are warning about inflated AI valuations, and the IMF has highlighted the risk of market concentration among a few large AI firms. For educators and training providers, the opportunity is equally clear. If businesses are automating junior roles, then building AI literacy and human-centred skills such as creativity, empathy, and collaboration into education and early careers becomes increasingly essential.

Challenges And Criticisms

Taking a step back, three key issues appear to stand out from all this:

1. An over-reliance on automation without parallel investment in upskilling risks hollowing out future leadership pipelines. The imbalance in corporate language, where automation dominates over training, suggests short-termism.

2. ROI from AI remains inconsistent. For example, surveys from IBM, MIT, and EY show that many organisations either struggle to capture financial gains or face early project losses, raising doubts about the business case for replacing human development with automation.

3. There is now a widening gap between large and small employers in their ability to offer AI-related training. That leaves SMEs carrying much of the responsibility for developing Gen Z talent while lacking the same resources as bigger corporations.

BSI’s leaders emphasise that an AI-enabled workforce still needs to be developed. The report concludes that “the future belongs to skills that machines can’t replicate—for example, creativity, empathy, and collaboration.” Businesses, it says, must evolve to nurture these human strengths alongside technical literacy if they want to remain competitive and sustainable.

Looking Ahead

Looking ahead, hiring trends at the entry level are likely to be the key measure. Job-board data through 2025 already shows fewer openings in several professional fields even as AI-related roles expand. Policy direction will also be crucial. The British Standards Institution and other regulators are expected to continue shaping frameworks for responsible AI adoption. Measuring productivity outcomes and workforce investment side by side will determine whether this phase of AI-driven restructuring delivers lasting value, or leaves a generation behind.

What Does This Mean For Your Business?

The findings in the report suggest that the next stage of AI adoption will test how well businesses balance efficiency with long-term workforce stability. Employers that continue cutting entry-level positions without replacing them with structured learning or graduate pathways could soon face internal skills gaps that limit growth. For UK businesses, this raises a strategic question about sustainability. For example, automation can reduce costs, but without a consistent flow of skilled recruits, firms may find themselves competing for an ever-smaller pool of experienced professionals, pushing up wages and weakening future competitiveness.

There are also wider economic implications to consider. A reduction in entry-level hiring may suppress social mobility and delay young workers’ transition into full employment, which in turn affects consumer spending and tax revenues. Economists have warned that productivity gains from AI will only materialise if human capital keeps pace with technology. For policymakers, the challenge will be encouraging responsible innovation while safeguarding the foundations of the labour market. The BSI’s call for long-term thinking reflects growing concern that the UK’s current AI strategy must be paired with investment in training and skills if the benefits are to be shared across society.

For AI companies, the trend creates both opportunity and risk. Demand for automation is strong, but expectations are rising. Businesses are beginning to scrutinise outcomes more closely and may demand clearer, measurable returns. Providers that can demonstrate reliability, data security, and real efficiency improvements will be best placed to maintain momentum once early enthusiasm fades. Education and training providers also stand to gain if they can help bridge the gap between technical capability and human development, ensuring that younger workers can work effectively with, rather than against, AI systems.

Beyond the headline story here, the more rounded message emerging from the BSI’s report, is that the path forward cannot rely solely on automation. Businesses, governments, and educators will need to work together to build a future workforce that complements AI rather than competes with it. Without that alignment, the short-term pursuit of productivity could come at the long-term expense of capability, resilience, and opportunity.

The post Featured Article : Employers Choose AI Over Gen Z appeared first on Mear Technology.