Employee education against phishing scams proves effective - however, avoid complacency
In a significant development in the cybersecurity realm, recent findings from KnowBe4's 2025 Phishing by Industry Benchmarking Report reveal a global improvement in organisations' resilience against phishing attacks.
Leading the charge is North America, demonstrating an impressive 90% improvement, closely followed by South America with an 89% improvement. These figures highlight a growing recognition of employees as a vital line of defence in cybersecurity, as stated by Malik, the lead security awareness advocate at KnowBe4.
Supply chain security has emerged as a critical focus due to its interconnected nature, and organisations are shifting away from punitive approaches to security training. Instead, they are empowering employees to make security decisions and report potential threats without fear of punishment. This approach has led to a decrease in the Phish-prone Percentage (PPP), a metric used to measure an organisation's susceptibility to phishing attacks.
The report indicates a global average baseline PPP of around a third, with the highest baseline PPPs found in South America (39%), North America (37%), and Australia and New Zealand (37%). However, after three months of training, the average PPP drops to 19%, and after a year, it drops further to 4.8%.
Interestingly, larger firms often show more substantial improvements over time due to their ability to afford comprehensive training resources. Organisations with 1,000-plus employees in Australia and New Zealand, for instance, have the highest PPP (44.6%). On the other hand, organisations with fewer than 249 employees in both Asia and the United Kingdom and Ireland have the lowest PPP, with less than a quarter of employees clicking the links.
The cybersecurity landscape in the UK and Ireland, according to Javvad Malik, is rapidly evolving. Sectors like healthcare and pharmaceuticals, consumer services, and hospitality tend to have a higher initial resilience to phishing attacks. However, it's crucial to remember that cyber scams cost businesses $1.7 million per year, as claimed in a report.
The report also sheds light on the emergence of new phishing techniques that bypass Multi-Factor Authentication (MFA), and the increasing importance of AI in both offering powerful tools and introducing new risks in the cybersecurity landscape.
In conclusion, sustained security training is essential to drive long-lasting change, as evidenced by the improvements in phishing awareness and resilience observed across the globe. Organisations are recognising their employees as a crucial line of defence against cyber threats, and this shift towards empowering employees is a promising development in the ongoing battle against cybercrime.
Cybersecurity training is not only beneficial for organizational business continuity but also for the finance sector, as indicated by the decreasing Phish-prone Percentage (PPP) and the globally observed improvements in organizations' resilience against phishing attacks. With the emergence of new phishing techniques, technology plays a pivotal role in offering AI-driven solutions to enhance cybersecurity, mitigating potential financial losses that businesses might incur.
