2025 International Phishing Benchmarks
United Kingdom & Ireland
By Javvad Malik
Organizations across the United Kingdom & Ireland (UK&I) that have embraced simulated phishing and training have demonstrated an impressive improvement against phishing threats. In fact, the average PPP plummeted from an initial 32.9% to a mere 4.8% after one year of sustained best-practice training. This 85.4% reduction represents a substantial improvement by any measure.
”Organizations achieved an average 85% reduction in their PPP through structured security awareness training
Delving into the data reveals a clear trend of improvement in phishing resilience across all organizational sizes and industries following cybersecurity training. Initially, PPPs vary widely, with small companies starting at 18-27%, medium companies at 22-44%, and large companies showing the most variability at 16-60%. Healthcare & Pharmaceuticals, Consumer Services and Hospitality tend to have higher initial vulnerabilities, especially in larger organizations.
After 90 days of training, all sectors show significant improvement, with PPPs typically reducing by 5-15%. The most dramatic changes occur after one full year of training, where the average PPP drops to 4.8%.
This demonstrates the long-term effectiveness of sustained phishing awareness programs. Notably, larger companies often start with higher vulnerability but show more substantial improvements over time, possibly due to more comprehensive training resources. The data underscores the critical importance of ongoing cybersecurity education in substantially reducing an organization’s susceptibility to phishing attacks regardless of size or industry.
Let’s delve into some of the key themes that have shaped the cybersecurity scene across the UK&I over the last year.
The AI-Powered Cyber Arms Race
AI has emerged as a game-changer in the cybersecurity arena, presenting both challenges and opportunities. At the end of 2023, the UK’s National Cyber Security Centre (NCSC) released its guidelines on the secure development of AI systems, highlighting the growing importance of AI in cybersecurity.
The UK government’s AI Cyber Security Survey, published in May 2024, further underscores the growing effect of AI on the cybersecurity landscape. The survey revealed that 45% of organizations are already using AI for cybersecurity purposes, with another 32% planning to do so in the future. Notably, 69% of organizations reported that AI has improved their ability to detect and respond to cyber threats. However, the survey also highlighted concerns, with 41% of businesses worried about potential vulnerabilities in AI systems themselves.
This data illustrates the dual nature of AI in cybersecurity: while it offers powerful tools for defense, it also introduces new vulnerabilities that organizations must address.
The Ripple Effect of Supply Chain Vulnerabilities
The interconnected nature of modern business has thrust supply chain security into the spotlight.
One notable incident was the MOVEit file transfer software breach, which affected numerous organizations across the region. The NCSC issued an urgent warning, urging businesses to patch the vulnerability immediately. This attack didn’t just compromise individual companies; it exposed the web of dependencies underpinning our digital economy.
A study by SecurityScorecard in May 2024 analyzing UK FTSE 100 companies revealed alarming vulnerabilities in supply chain cybersecurity. The research found that 97% of these top companies had at least one supplier with a C, D or F rating in their cybersecurity posture. Even more concerning, 80% of FTSE 100 companies had at least one supplier who had already suffered a data breach. These findings highlight the significant risks that even the largest and most resourceful companies face due to weaknesses in their supply chain’s cybersecurity, underscoring the critical need for robust vendor risk management and continuous monitoring of third-party security practices.
The ripple effect of supply chain vulnerabilities has extended beyond immediate security concerns. There has been increased tie-in with geopolitical issues, such as continued cyber threats related to the Russia and Ukraine conflict. There has also been an increase in state-sponsored attacks targeting UK infrastructure. All of this combined has led to an increased focus on supply chain security with increased global tensions.
Humans Being Human
Perhaps the most intriguing development in recent months has been the transformation of the human element in cybersecurity. Historically many organizations have exhibited dismissive attitudes, often referring to people as the weakest link. However, employees are now being recognized as a crucial line of defense against cyber threats.
”We need more personalized, relevant and adaptive training approaches to stay ahead of evolving threats
This shift is exemplified by the UK Government’s Cyber Aware campaign, which has moved beyond basic password advice to focus on cultivating a “cyber aware” mindset among citizens. The campaign’s success lies in its ability to translate complex cybersecurity concepts into relatable, everyday behaviors.
In the corporate world, we’re seeing a move away from punitive approaches to security training. Organizations are fostering a culture of cybersecurity awareness, where employees are empowered to make security decisions and report potential threats without fear of reprimand. This cultural shift is reflected in the dramatic improvement in phishing test results, particularly in larger organizations that initially struggled with higher vulnerability rates.
That’s not to say that all is rosy, however. Several economic factors, such as the cost of living crisis, are leading to increased threats of insiders and social engineering susceptibility. We’ve also seen rising cyber insurance premiums and organizations forced to invest in cybersecurity in the face of economic pressures.
This is why it is important that security awareness activities adapt to the ever-changing threats and become integrated into the technology stack to be more personalized and relevant, providing the right awareness and training at the right time to those who need it most.
Key Takeaways
As we look to the future, it's clear that the cybersecurity landscape in the UK&I will continue to evolve. However, as the phishing results show, change doesn’t happen overnight, and it needs a sustained effort to achieve and maintain improvement.
- AI is reshaping the cybersecurity battlefield, demanding more personalized, relevant and adaptive training approaches to stay ahead of evolving threats
- Supply chain vulnerabilities have exposed the ever-increasing interconnected nature of cyber risks, prompting a holistic approach to security that extends beyond organizational boundaries
- The human element in cybersecurity is evolving from a liability to an asset, with cultural changes and empowerment strategies driving significant improvements in phishing resistance
