Executives are meant to set the tone for security. Yet new research suggests they may be driving risk instead. According to Yubico’s 2025 Global State of Authentication Report, 11.6 percent of C-Suite members admitted to interacting with a phishing message in the past week, compared with 8.8 percent of entry-level employees. The same study found that 44 percent of executives believe their company has “very good” cybersecurity in place — a confidence shared by only one in four frontline workers.
This disconnect marks a structural weakness that attackers have learned to exploit. Business email compromise and CEO-fraud schemes — which impersonate senior leaders to trigger payments or data transfers — remain among the most profitable forms of cybercrime worldwide. The US FBI attributes billions of dollars in annual losses to such attacks, most of which originate from simple phishing attempts.
Recent global data supports the scale of the issue. Security researchers recorded nearly one million phishing attacks in the final quarter of 2024 alone, with an average breach cost approaching $4.8 million per incident. Phishing also remains the most common initial attack vector cited in the UK Government’s Cyber Security Breaches Survey 2025, outranking malware and ransomware combined.
The underlying reason is human. Industry studies estimate that up to 74 percent of breaches now involve human error, from clicking malicious links to mismanaging credentials. Even as businesses invest heavily in threat detection, social engineering continues to bypass technical controls by targeting judgment rather than software.
Executives, in particular, present an attractive entry point. Their public profiles make them easier to research, while their inboxes are filled with urgent, authoritative correspondence. “In the age of AI-driven cyber crime, automated tools target all employees and businesses the same,” said Niall McConachie, UK & Ireland regional director at Yubico. “Every unsecured entry point is a target — and our data confirms that entrepreneurs and executives are leaving the front door wide open by neglecting basic training and not implementing multi-factor authentication.”
AI is amplifying the problem. Machine-learning models are being used to generate personalised phishing emails at scale, complete with deep-faked voices or cloned writing styles. Attackers can now replicate a CEO’s tone with startling accuracy, turning what once required weeks of reconnaissance into minutes of automated work. As McConachie noted, “Rank does not equal immunity; in fact, it creates a critical risk where the individuals holding the most valuable data are the most susceptible.”
Small businesses are equally exposed — often more so. Yubico’s report found that 60 percent of small business owners and 57 percent of employees received no cybersecurity training in 2025, while nearly half of these companies still operate without full multi-factor authentication. Many cite cost or complexity as reasons for delay. Yet the cumulative cost of breaches far outweighs prevention. Phishing-as-a-Service kits and AI-driven automation have erased traditional size boundaries, allowing attackers to scale campaigns that hit small and large targets indiscriminately.
For organisations of any size, leadership behaviour now shapes cyber resilience as much as technology does. Closing the executive awareness gap — through realistic simulations, device-bound passkeys, and enforced MFA — will define security performance in 2026 and beyond.
