Report highlights patterns that can inspire a stronger, safe and more resilient security culture
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today released the new 2023 Phishing by Industry Benchmarking Report to measure an organization’s Phish-proneTM Percentage (PPP), which indicates how many of their employees are likely to fall for phishing or a social engineering scam.
This year’s report reveals that according to the baseline testing conducted, without security training, across all industries, 33.1% of employees are likely to click on a suspicious link or comply with a fraudulent request. The increase year over year was just under one full percentage point and continues to demonstrate the risk associated with a lacking security culture.
KnowBe4 analyzed a data set of over 12.5 million users, across 35,681 organizations, with over 32.1 million simulated phishing security tests, across 19 different industries. The resulting baseline PPP measures the percentage of employees in organizations that had not conducted any KnowBe4 security training, who clicked a simulated phishing email link or opened an infected attachment during testing.
When companies implemented a combination of training and simulated phishing security testing after their initial baseline measurement, results changed dramatically. 90 days after completing monthly or more frequent security training, the average PPP decreased to 18.5%. After twelve months of security training and simulated phishing security tests, the average PPP dropped to 5.4%, indicating that new habits become normal, fostering a stronger human firewall and improved security culture.
The report also reveals which industries are most vulnerable to cyber threats and have the highest PPP which indicates where there is a stronger need for security awareness training. Across small and medium organizations, the healthcare and pharmaceuticals industry has the highest PPP of 32.3% and 35.8%, respectively. Across large organizations, the insurance industry remains the most at risk for a second consecutive year with a PPP of 53.2%, relatively unchanged from 2022.
The report underscores the fact that while technology plays an important role in preventing and recovering from an attack, organizations cannot afford to ignore the human factor. Verizon’s 2023 Data Breach Investigations report states that 74% of breaches this year involved the human element. This is a slight improvement from last year’s 82%, however, organizations must continue to focus their efforts on the human element of cyber attacks by implementing proven training methods that directly impact their workforce.
Additionally, this year’s report details international phishing benchmarks from North America, The United Kingdom and Ireland, Europe, Africa, South America, Asia, Australia and New Zealand.
“Although we see certain industries like hospitality and education improve their PPP, others such as healthcare and pharmaceuticals continue to maintain or increase their PPP reflecting the significant roles humans play within organizations to best combat cyber threats,” said Stu Sjouwerman, CEO, KnowBe4. “The findings from KnowBe4’s Phishing by Industry Benchmark report are a testament to the effectiveness of new-school security awareness training and simulated phishing. An educated workforce forms a strong human firewall, which is key to practicing safe cyber habits and building a strong security culture.”
To download a copy of the 2023 KnowBe4 Phishing by Industry Benchmarking Report, visit https://www.knowbe4.com/phishing-benchmarking-analysis-center.
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 60,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.