Security awareness training company KnowBe4 has released its ‘2022 Phishing by Industry Benchmarking’ report, which determined how many employees are likely to fall for phishing or social engineering scams and showed that, without security training, across all industries globally, 32.4% of employees are likely to click on a suspicious link or comply with a fraudulent request.

In some large category industries, such as consulting, energy and utilities, and healthcare and pharmaceuticals, the percentage is over 50%.

Ransomware payments averaged $580 000 in 2021 and business email compromise losses topped $1.8-billion in 2020, the company said.

The energy and utilities, insurance and consulting industries are most at risk for social engineering, followed by small and medium-sized healthcare and pharmaceuticals organisations.

The African region showed only slightly better results, with 31.4% of untrained employees likely to click on a suspicious link or comply with a fraudulent request across all industries and organisation sizes, and 32.4% in larger organisations with more than 1 000 employees.

When organisations implemented a combination of training and simulated phishing security testing after their initial baseline measurement, results changed dramatically, the company said.

“In 90 days after completing monthly or more frequent security training, the average phishing propensity decreased to 17.6%. After 12 months of security training and simulated phishing security tests, the average dropped to 5%, indicating that new habits become normal, fostering a stronger security culture.”

The report highlights that Africa faces a growing array of cyberthreats from espionage, critical infrastructure sabotage and organized crime. It also notes a skills shortage, with a growing gap in certified cybersecurity professionals of 100 000.

In African organisations, after 90 days of cybersecurity training, the average phishing propensity drops to 18.8%, which remains higher than the global rate, with smaller organisations of 1 to 249 employees showing the highest susceptibility, at 24.8%.

The ‘2022 Phishing by Industry Benchmarking’ report underscores the fact that, while technology plays an important role in preventing and recovering from an attack, organisations cannot afford to ignore the human factor. Network operator Verizon’s 2022 Data Breach Investigations report states that 82% of breaches involved a human element.

“In critical industries, such as energy and utilities, and healthcare and pharmaceuticals, where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” said KnowBe4 CEO Stu Sjouwerman.

“With the steep cost of cyberattacks, this is deeply concerning. Given that most data breaches originate from social engineering, we cannot afford to omit the human element.

“Implementing security awareness training with simulated phishing testing will help to better protect organisations against cyberattacks and result in a more secure organisationsal culture,” he said.