Increased phishing training is paying dividends for enterprises, according to new research, particularly in larger enterprises.
Analysis from KnowBe4 shows awareness and resilience are improving based on what it describes as ‘Phish-prone Percentage’ (PPP) metrics. This tracks the percentage of employees likely to fall for social engineering or phishing attacks, the company said.
According to the firm’s 2025 Phishing by Industry Benchmarking Report, organizations have a baseline PPP of around a third worldwide on average - but can improve that dramatically with the right training.
Globally, PPP drops on average to 19% after three months' training, and to just 4.8% after 12 months. After a year's training, all regions achieved average improvement rates of more than 80%, with North America showing the biggest improvement at 90%, and South America a close second at 89%.
The highest baseline PPPs were found in South America at 39%, North America at 37%, and Australia and New Zealand at 37%. The most phish-prone of all were organizations with 1,000-plus employees in Australia and New Zealand, with 44.6% happily clicking on simulated phishing hyperlinks.
The most cautious, meanwhile, were organizations with fewer than 249 employees in both Asia and the United Kingdom and Ireland, where fewer than a quarter of employees clicked the links.
"The cybersecurity landscape in the UK and Ireland is rapidly evolving, driven by AI advancements, supply chain vulnerabilities, and a shift in how we view the human element in defense," said Javvad Malik, lead security awareness advocate at KnowBe4.
"AI offers both powerful tools and new risks, while supply chain security has become a critical focus due to its interconnected nature."
In the UK and Ireland, healthcare and pharmaceuticals, consumer services, and hospitality tend to have a higher initial baseline resilience to phishing attacks, especially in the case of larger organizations.
Similarly, bigger firms often start with a higher baseline, but show more substantial improvements over time. Researchers suggested this is perhaps because they can afford more comprehensive training resources.
Notably, KnowBe4 researchers said they have observed a shift in perception, with employers increasingly seeing their staff as a crucial line of defense against cyber threats.
There's also been a move away from punitive approaches to security training, with organizations now empowering employees to make security decisions and report potential threats without the fear of being penalized.
"The biggest shift is the growing recognition of employees as an essential line of defense, with organisations now fostering a culture of cybersecurity awareness," said Malik.
"While progress is being made, it is clear from the data in the Benchmarking Report that sustained security training is essential to drive long-lasting change."
MORE FROM ITPRO
- Fake file converter tools are on the rise – here’s what you need to know
- Hackers are using this new phishing technique to bypass MFA
- Cyber scams cost businesses $1.7 million per year, claims report
-
Logitech's MX Master 4 mouse and its 'Action Ring' is a game-changer for modern worknews The MX Master 4 is a great example of Logitech's approach to the future of work and a great solution to software tool sprawl
-
Organizations around the world are unprepared for the threat from bad bots – and UK businesses are some of the worst performersNews As AI-driven bot traffic booms, legacy defenses are failing fast
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
A new, silent social engineering attack is being used by hackers – and your security systems might not notice until it’s too lateNews Security researchers have warned the 'FileFix' technique, which builds on the notorious 'ClickFix' tactic, is being used in the wild by threat actors.
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizations
News A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
