KnowBe4, one of the world’s largest cyber-security awareness training companies and simulated phishing platform provider, has released the new 2022 Phishing by Industry Benchmarking Report to measure an organisation’s Phish-prone Percentage (PPP), which indicates how many of their employees are likely to fall for phishing or a social engineering scam.
With ransomware payments averaging $580,000 in 2021 and business email compromise (BEC) losses topping $1.8 billion in 2020, a cyber attack can wreak havoc on an organisation.
Yet, according to the baseline testing conducted for the report, without security training, across all industries globally, 32.4% of employees are likely to click on a suspicious link or comply with a fraudulent request. In some large category industries, such as Consulting, Energy & Utilities, and Healthcare & Pharmaceuticals, the percentage is over 50%.
The African region showed only slightly better results, with 31.4% of untrained employees likely to click on a suspicious link or comply with a fraudulent request across all industries and organisation sizes, and 32.4% in larger organisations (more than 1000 employees).
KnowBe4 analysed a data set of over 9.5 million users across 30,173 organisations, with over 23.4 million simulated phishing security tests across 19 different industries. The resulting baseline “Phish-prone Percentage (PPP)” measures the percentage of employees in organisations that had not conducted any KnowBe4 security training, who clicked a simulated phishing email link, or opened an infected attachment during testing.
When organisations implemented a combination of training and simulated phishing security testing after their initial baseline measurement, results changed dramatically. In 90 days after completing monthly or more frequent security training, the average PPP decreased to 17.6%.
After twelve months of security training and simulated phishing security tests, the average PPP dropped to five percent, indicating that new habits become normal, fostering a stronger security culture.
Africa is Still at Higher Risks
In African organisations, after 90 days of cyber security training, the average PPP drops to 18.8%. A figure that is still higher than the global rate for this stage, with smaller organisations of 1-249 employees showing the highest susceptibility for this stage, at a 24.8% PPP.
The report notes that Africa faces a growing array of cyber threats from espionage, critical infrastructure sabotage, and organized crime. It also notes a skills shortage, with a growing 100,000-person gap in certified cybersecurity professionals.
The 2022 Phishing by Industry Benchmarking Report underscores the fact that while technology plays an important role in preventing and recovering from an attack, organisations cannot afford to ignore the human factor.
Verizon’s 2022 Data Breach Investigations report states that 82% of breaches this year involved the human element.
“In critical industries like Energy & Utilities and Healthcare & Pharmaceuticals where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” said Stu Sjouwerman, CEO, KnowBe4.
“With the steep cost of cyberattacks, this is deeply concerning. Given that most data breaches originate from social engineering, we cannot afford to omit the human element. Implementing security awareness training with simulated phishing testing will help to better protect organisations against cyber-attacks and result in a more secure organisationsal culture,” Sjouwerman concludes.
Public Sector Organisations in Africa at Increased Risk of Cyber-Attack
Public sector organisations (PSOs) in Africa are continually targeted by cybercriminals. In 2021, South Africa’s port authority Transnet was subject to a massive ransomware attack that halted all sea imports and exports for more than a week. The country’s Department of Justice was also attacked that same year, causing a huge delay in court cases.
The truth is: These attacks are preventable, public organisations just need to be equipped with the right know-how to defend themselves.
If your public organisation is digitally connected, like all successful modern enterprises should be, then you cannot afford to miss the Public Sector Security Summit 2022 (#PubliSec2022), to be held on 2nd and 3rd August 2022.
Register now for #PubliSec2022 and learn from top local and international cybersecurity experts to prepare your public organisation before the attack comes. Because once your systems are compromised, it will already be too late.
To learn more, click here.