Analyzing Training Effectiveness
The Big Picture: Global Phishing Click Rates
In Phase One, before any SAT had been administered, the global average PPP was 33.1%. So, one in three employees clicked the link.
When we dig in, we find over half of industries (10 out of 19) have a PPP that’s above this average. Across organizations of all sizes, these are the most at-risk industries:
- Healthcare & Pharmaceuticals: 41.9%
- Insurance: 39.2%
- Retail & Wholesale: 36.5%
Only five industries have PPPs below 30%. Even then, well over one-quarter of employees are phish prone: Transportation (29.9%), Business Services (29.6%), Consumer Services (29.5%), Legal (28.5%) and Government (28.2%).
The Larger the Organization, the Greater the Risk
On average, organizations with 10,000+ employees had a PPP of 40.5%. Those with 1,000-9,999 had a PPP of 33.7%, compared to 28.7% for organizations with 250-999 employees and 24.6% for organizations with 1-250 people.
”Without best-practice training, on average one in three employees will click on phishing links
It makes sense: more people equals more mailboxes and more fingers that can click on hyperlinks. Plus, it can be harder to raise collective awareness across a greater number of people.
The risk profile shifted across different industries and organization sizes, but overall, the greatest risk lay with the larger organizations.
Phishing Risk Can Go Down - and Stay Down
There is good news. After just 90 days of best-practice training, every industry experienced a significant reduction in phishing risk. On average, the global PPP reduced by 40% to just under one in five employees (19.8%) clicking the link.
It keeps getting better: after 12 months, the average PPP drops 86% to 4.1% — and this reduction lasts for the long term. With ongoing training, average PPPs fell to 3.7% after two years and 3.6% after three years. This reduction was visible across every industry (see Appendices 1 and 2).
