Executives more likely to take phishing bait than junior staff
New data reveals that 11.6 percent of C-Suite members admit to interacting with a phishing message in the last week alone, compared to just 8.8 percent of entry-level employees.
This is one of the findings of Yubico’s 2025 Global State of Authentication Report which also finds a gap in perception at the top, while 44 percent of C-Suite members believe their company has ‘very good’ cybersecurity in place, only 25 percent of entry-level employees agree, suggesting a discrepancy in cyber awareness
In addition the report highlights that small businesses are facing a new wave of vulnerability, driven by a lack of resources and dangerous misconceptions about their appeal to attackers. 60 percent of entrepreneurs/sole traders and 57 percent of employees at small businesses (one–99 staff) received no cybersecurity training in 2025, leaving them defenseless against AI-driven social engineering.
Despite the rise in credential theft, 46 percent of entrepreneurs and 39 percent of small business employees report that their company does not use multi-factor authentication (MFA) across all applications. The primary reason for this lack of protection is complacency; 36 percent of entrepreneurs believe their business simply ‘doesn't require’ robust authentication measures like MFA.
Niall McConachie, regional director (UK & Ireland) at Yubico, says:
Small businesses are currently operating under a dangerous misconception: believing they’re too small a target for attackers. In the age of AI-driven cyber crime, automated tools target all employees and businesses the same. Every unsecured entry point is a target, and our data confirms that entrepreneurs are leaving the front door wide open by neglecting basic training and not implementing multi-factor authentication (MFA).
The disconnect between the C-Suite and the frontline is equally alarming. C-suite executives are privy to the most sensitive information in the business, yet the data shows they are interacting with phishing attempts at a higher rate than entry-level staff. This proves that rank does not equal immunity; in fact, it creates a critical risk where the individuals holding the most valuable data are the most susceptible. When those at the top believe security is ‘very good’ while simultaneously falling for attacks, it fosters a dangerous culture of complacency.
For 2026, the resolution for small businesses must be the widespread adoption of enterprise-grade security. We need to abandon the idea that robust authentication is ‘too expensive’ or ‘too complex’ for smaller teams. Conversely, it’s too expensive not to protect systems and data. Implementing phishing-resistant MFA, such as device-bound passkeys like hardware security keys, is the only scalable way to level the playing field and immunize small businesses against the industrialized threat landscape they now face.
The full report is available from the Yubico site.
Image credit: yanc/depositphotos.com
