Increased phishing training is paying dividends for enterprises, according to new research, particularly in larger enterprises.
Analysis from KnowBe4 shows awareness and resilience are improving based on what it describes as ‘Phish-prone Percentage’ (PPP) metrics. This tracks the percentage of employees likely to fall for social engineering or phishing attacks, the company said.
According to the firm’s 2025 Phishing by Industry Benchmarking Report, organizations have a baseline PPP of around a third worldwide on average - but can improve that dramatically with the right training.
Globally, PPP drops on average to 19% after three months' training, and to just 4.8% after 12 months. After a year's training, all regions achieved average improvement rates of more than 80%, with North America showing the biggest improvement at 90%, and South America a close second at 89%.
The highest baseline PPPs were found in South America at 39%, North America at 37%, and Australia and New Zealand at 37%. The most phish-prone of all were organizations with 1,000-plus employees in Australia and New Zealand, with 44.6% happily clicking on simulated phishing hyperlinks.
The most cautious, meanwhile, were organizations with fewer than 249 employees in both Asia and the United Kingdom and Ireland, where fewer than a quarter of employees clicked the links.
"The cybersecurity landscape in the UK and Ireland is rapidly evolving, driven by AI advancements, supply chain vulnerabilities, and a shift in how we view the human element in defense," said Javvad Malik, lead security awareness advocate at KnowBe4.
"AI offers both powerful tools and new risks, while supply chain security has become a critical focus due to its interconnected nature."
In the UK and Ireland, healthcare and pharmaceuticals, consumer services, and hospitality tend to have a higher initial baseline resilience to phishing attacks, especially in the case of larger organizations.
Similarly, bigger firms often start with a higher baseline, but show more substantial improvements over time. Researchers suggested this is perhaps because they can afford more comprehensive training resources.
Notably, KnowBe4 researchers said they have observed a shift in perception, with employers increasingly seeing their staff as a crucial line of defense against cyber threats.
There's also been a move away from punitive approaches to security training, with organizations now empowering employees to make security decisions and report potential threats without the fear of being penalized.
"The biggest shift is the growing recognition of employees as an essential line of defense, with organisations now fostering a culture of cybersecurity awareness," said Malik.
"While progress is being made, it is clear from the data in the Benchmarking Report that sustained security training is essential to drive long-lasting change."
MORE FROM ITPRO
- Fake file converter tools are on the rise – here’s what you need to know
- Hackers are using this new phishing technique to bypass MFA
- Cyber scams cost businesses $1.7 million per year, claims report
-
Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfactionNews New research from Gartner suggests a significant portion of enterprises will experience ‘dissatisfaction’ in their cloud journey in the coming years.
-
Why it’s time to unify your IT managementComplexity is the bane of all mid-market IT administrators; it’s time to consolidate your IT stack through a single platform
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacksNews A survey reveals that most attacks go unreported, putting patient data at risk
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
