KnowBe4 releases 2022’s Phishing reports

The new 2022 Phishing by Industry Benchmarking Report has been released by KnowBe4, the maker of the largest security awareness training and simulated phishing platform in the world, to assess an organization’s Phish-prone Percentage (PPP), which shows how many of their employees are likely to fall for phishing or a social engineering scam.

A cyber assault can devastate a company, with ransomware payments expected to average $580,000 in 2021 and business email compromise (BEC) losses expected to reach $1.8 billion in 2020.

However, without security training, across all industries globally, 32.4 percent of employees are likely to click on a suspicious link or accede to a fraudulent request, according to baseline testing done for the research.

The ratio exceeds 50% in some significant category industries, including Consulting, Energy & Utilities, and Healthcare & Pharmaceuticals.

With 31.4 percent of unskilled personnel likely to click on a suspicious link or cooperate with a fraudulent request across all industries and organization sizes, and 32.4 percent in larger organizations, the African area fared just marginally better (more than 1000 employees).

Over 9.5 million users from 30,173 organizations and over 23.4 million simulated phishing security tests from 19 different industries made up the data set that KnowBe4 analyzed.

The derived baseline “Phish-proneTM Percentage (PPP)” calculates the proportion of workers in organizations without KnowBe4 security training who during testing clicked a fake phishing email link or opened a malicious attachment.

Following their initial baseline assessment, organizations adopted a combination of training and simulated phishing security testing, and results drastically changed.

The average PPP dropped to 17.6 percent in 90 days after attending monthly or more frequent security training.

The average PPP decreased to 5% after a year of security education and simulated phishing security tests, showing that new behaviours have become routine and have strengthened the security culture.

After 90 days of cyber security training, the average PPP in African organizations falls to 18.8%.

With smaller organizations of 1-249 people having the highest susceptibility for this stage, at a 24.8 percent PPP, the result is still greater than the global rate for this stage.

The research states that espionage, critical infrastructure sabotage, and organized crime pose an increasing number of cyberthreats to Africa.

It also highlights a skills gap, with a growing shortfall of qualified cybersecurity specialists of 100,000 people.

According to the 2022 Phishing by Industry Benchmarking Report, organizations cannot afford to overlook the human element even while technology is crucial for avoiding and recovering from an assault.

According to Verizon’s 2022 Data Breach Investigations report, human error was a factor in 82 percent of breaches this year.

“In critical industries like Energy & Utilities and Healthcare & Pharmaceuticals where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” said Stu Sjouwerman, CEO, KnowBe4.

“With the steep cost of cyberattacks, this is deeply concerning.

Given that most data breaches originate from social engineering, we cannot afford to omit the human element.

Implementing security awareness training with simulated phishing testing will help to better protect organisations against cyber-attacks and result in a more secure organisational culture.”