Employee phishing training is working – but don’t get complacent

Educating staff on how to avoid phishing attacks can cut the rate by 80%

Emma Woollacott's avatar
By
published
in News
Phishing email attack concept image showing letter symbols being held by dark colored hands.
(Image credit: Getty Images)

Increased phishing training is paying dividends for enterprises, according to new research, particularly in larger enterprises.

Analysis from KnowBe4 shows awareness and resilience are improving based on what it describes as ‘Phish-prone Percentage’ (PPP) metrics. This tracks the percentage of employees likely to fall for social engineering or phishing attacks, the company said.

According to the firm’s 2025 Phishing by Industry Benchmarking Report, organizations have a baseline PPP of around a third worldwide on average - but can improve that dramatically with the right training.

Globally, PPP drops on average to 19% after three months' training, and to just 4.8% after 12 months. After a year's training, all regions achieved average improvement rates of more than 80%, with North America showing the biggest improvement at 90%, and South America a close second at 89%.

The highest baseline PPPs were found in South America at 39%, North America at 37%, and Australia and New Zealand at 37%. The most phish-prone of all were organizations with 1,000-plus employees in Australia and New Zealand, with 44.6% happily clicking on simulated phishing hyperlinks.

The most cautious, meanwhile, were organizations with fewer than 249 employees in both Asia and the United Kingdom and Ireland, where fewer than a quarter of employees clicked the links.

"The cybersecurity landscape in the UK and Ireland is rapidly evolving, driven by AI advancements, supply chain vulnerabilities, and a shift in how we view the human element in defense," said Javvad Malik, lead security awareness advocate at KnowBe4.

"AI offers both powerful tools and new risks, while supply chain security has become a critical focus due to its interconnected nature."

In the UK and Ireland, healthcare and pharmaceuticals, consumer services, and hospitality tend to have a higher initial baseline resilience to phishing attacks, especially in the case of larger organizations.

Similarly, bigger firms often start with a higher baseline, but show more substantial improvements over time. Researchers suggested this is perhaps because they can afford more comprehensive training resources.

Notably, KnowBe4 researchers said they have observed a shift in perception, with employers increasingly seeing their staff as a crucial line of defense against cyber threats.

There's also been a move away from punitive approaches to security training, with organizations now empowering employees to make security decisions and report potential threats without the fear of being penalized.

"The biggest shift is the growing recognition of employees as an essential line of defense, with organisations now fostering a culture of cybersecurity awareness," said Malik.

"While progress is being made, it is clear from the data in the Benchmarking Report that sustained security training is essential to drive long-lasting change."

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸