More than one in three of corporate employees in Africa are vulnerable to phishing attacks and social engineering scams. However, regular training can significantly reduce their chances of falling victim to such cyber threats.
This is among the key findings of KnowBe4’s 2023 Phishing by Industry Benchmarking Report for Africa , which measures organisations’ Phish-prone Percentage (PPP) – an indication of how many of their employees are likely to fall for phishing or a social engineering scam.
The report is based on data from over 12.5 million users across 35,681 organisations in 19 different industries. The results of over 32.1 million simulated phishing security tests are also included. This year’s report details international phishing benchmarks from North America, The United Kingdom and Ireland, Europe, Africa, South America, Asia, Australia and New Zealand.
In Africa, 412 organisations from South Africa, Kenya, Nigeria and Botswana participated in the phishing simulation tests, with a total of 337,937 emails sent. The majority of these organisations (58%) were small (1-249 employees), followed by medium (26%, 250-999 employees) and large (16%, 1000+ employees) ones.
The resulting baseline PPP measured the percentage of employees in organisations that had not conducted any KnowBe4 security training and clicked a simulated phishing email link or opened an infected attachment during testing.
African business users had a lower baseline PPP than many other regions, meaning they were less likely to fall for phishing attacks before any training. However, their improvement after 90 days of training was also lower than other regions. After a year of ongoing training, African users achieved a 79.8% improvement in their PPP, showing the effectiveness of consistent security awareness education.
Africa’s human firewall
“The report underscores the fact that while technology plays an important role in preventing and recovering from an attack, organisations cannot afford to ignore the human factor,” says Anna Collard, Senior Vice President of Content Strategy & Evangelist for KnowBe4 Africa. “The root cause of most data breaches can be traced to the human factor.”
The report shows that without security training, 33.2% of employees across all regions and industries are likely to fall for phishing attacks or fraudulent requests. Africa’s average was 32.8%, slightly better than the global average and much better than South America, where the average was 41.1%. Asia had the lowest rate of phishing – 30%.
Collard notes: “Africa’s baseline phishing security test results shows that one out of three employees are likely to click on a suspicious link or email or comply with a fraudulent request before receiving training. This is very concerning considering that Africa has seen the fastest growth in cyber crimes in recent years, especially among small and medium-sized organisations.”
Training slashes risk
90 days after training, Africa’s PPP average was 20.5% compared to the global average of 18.5%. After a year of consistent training, Africa’s PPP was 6.6%, compared to a global average of 5.4%, indicating that new habits become normal, fostering an improved security culture.
At baseline, Africa’s medium-sized enterprises had the lowest PPP – at 29.4%, followed by small enterprises at 30% and large enterprises with a surprisingly high 33.3%. After training, large enterprises performed best, with a PPP average of 19% 90 days after training and 5.7% after a year. Medium sized enterprises improved to 22.7% 90 days after training, and 10.5% after a year. Small enterprises’ PPP improved to 25.2% after 90 days and 9% after a year.
The report also revealed which industries are most vulnerable to cyber threats and have the highest PPP, indicating more vulnerability and a greater need for security awareness training. Across small and medium organisations globally, the healthcare and pharmaceuticals industries had the highest PPP of 32.3% and 35.8%, respectively. In large organisations, the insurance industry remained the most at risk for a second consecutive year with a PPP of 53.2% globally. With consistent training for a year or more, the global average PPP improvement across sectors was 82%.
“These findings highlight the importance of ongoing, consistent cybersecurity awareness training and testing to achieve significant risk reduction,” says Collard. “Simply warning users or having a once-off training session is not enough. Cybersecurity needs to be ingrained into company culture.”